Load the index template manually(alternate method)

Hi,

I am running Winlogbeat on a machine which doesn't have access to elasticsearch. So, I will need to load the index template manually(Winlogbeat outputs to Logstash) with alternate method. I have few questions,

• I am running Winlogbeat on nearly 30 windows machines and I didn't load the index template earlier and now I am planning to load the index template. Would there be any issues if I load the index template on existing data which is being sent using logstash?

• Also, since there are 30 machines, do I need to export index template to a file on all 30 servers using
  PS> .\winlogbeat.exe export template --es.version 6.3.1 | Out-File -Encoding UTF8 winlogbeat.template.json

• All these 30 machines send logs to different indices(5 different indices meaning 6 machines per product) in elasticsearch(through Logstash). So, do I need to load the index template per indices? If so, how do I do it?. Because the below command doesn't specify any index,
  curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/winlogbeat-6.3.1 -d@winlogbeat.template.json

Please help me understand this concept. Thanks in advance!

You only need to install the template once. So you will export it from one Winlogbeat instance and install it to Elasticsearch. If you update Winlogbeat versions then you should install the updated template first.

After you have exported the file you can modify it manually to ensure that it applies to all of your indexes. Inside the file is an array called index_patterns that needs to match all of your indices.

When you install the template it will not apply to existing indices. Index templates are used at index creation time to establish the mapping for the index.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.