Management of indexes

Elastic Stack Elasticsearch
1

Hi,

I use Elasticsearch on my log access of several website. I create one index
per day for every websites. I would have a visibilty of my log access on a
period of 24 hours. But, for the moment, I close every index of the day
before every morning. So I only have a visibility of few of hours.

I have 2 solutions for my problem:

  • I create a index per hour instead of one index per day. But I think it's
    a bad idea because I will get too many indexes. Maybe I have totally wrong.
  • Or I duplicate my index of the day before. i close the original index, in
    the case of I need them later. And I use "delete by query" on my copy every
    hour to keep a visibility of 24 hours. But I don't know how to do to have 2
    index with the same name (one open and one close).

Do you have any advice for my problem?

Hubert

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

2

For 24 hour sliding window and daily indexes, you can try the following:
close index of the day before yesterday, so you have two indexes open, for
yesterday and today. Then use a filter in your query on the timestamp field
from now minus 24 * 3600 seconds, using the two day indexes in your query.

Jörg

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.