As you may know in a Logstash => ES setup(default), the indexes appear
under /var/lib/elasticsearch../../indices directory on a per-day basis.
This makes index deletion on a day-based easier. Now, would it be possible
to facilitate the index creation according to the 'source' also, while
keeping the day-based index creation intact? By source I mean a 'server'.
I'll make it more clear:
I'd like to have indexes created both according to day AND server basis. As
per default setting indexes are now as Logstash-yyyy-mm-dd.
Would it be possible to have it as - mx-mail1-yyyy-mm-dd,
webserver1-yyyy-mm-dd etc where mx-mail1/webserver1 are the servers sending
logs to ES via Logstash?
I'd like to retain web-server logs for a more number of days than
mail-server logs is the reason why I'm asking.
As you may know in a Logstash => ES setup(default), the indexes appear
under /var/lib/elasticsearch../../indices directory on a per-day basis.
This makes index deletion on a day-based easier. Now, would it be possible
to facilitate the index creation according to the 'source' also, while
keeping the day-based index creation intact? By source I mean a 'server'.
I'll make it more clear:
I'd like to have indexes created both according to day AND server basis.
As per default setting indexes are now as Logstash-yyyy-mm-dd.
Would it be possible to have it as - mx-mail1-yyyy-mm-dd,
webserver1-yyyy-mm-dd etc where mx-mail1/webserver1 are the servers sending
logs to ES via Logstash?
I'd like to retain web-server logs for a more number of days than
mail-server logs is the reason why I'm asking.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.