Logstash creating day based indexes

Hello guys,

           I am new to Logstash,  i have configured logstash to process syslog messages and it is creating indexes every day but i need single index for syslog messages. (I have understand logstash will create indexes based on @timestamp) pls help me,,

#logstash.conf

input {

udp {
   port => 514
   type => syslog
}

}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOG5424SD:time_stamp} %{WORD:conn_type} -- %{WORD:action}.*SRC=%{IP:src_ip} DST=%{IP:dst_ip}.PROTO=%{WORD:proto} SPT=%{WORD:src_port} DPT=%{WORD:dst_port}." }
add_field => [ "received_at", "%{@timestamp}"]
add_field => [ "received_from", "%{host}" ]
}
}
}

output {
elasticsearch { hosts => ["es-1:9200","es-2:9200"] }
stdout { codec => rubydebug }
}

Thanks,
Rajkumar

Your post is really badly formatted and hard to read, you may want to edit it.

How do you expect to have a single index that you can delete after 8 months? All your data will be in that single index, irrespective of time.

Hi Mark Walkom,

                 sorry for bad format, at least let me know how to create index per month on time based.

Please use the preview pane to the right to see what your messages look like before you post them.

I think using a single index is misguided, but I can't stop you from shooting yourself in the foot. Look at the elasticsearch output's index option and keep in mind that the index template that Logstash installs by default only applies to indexes whose names begin with "logstash-".

Thanks u magnusbaeck, now i am able to create time based index.