Hi,
I'm an ELK newbie. I configured rsyslogd and sending logs via the json template into logstash. Things worked fine for awhile but my index got "full". I lost a few days of logs. The rsyslog data/files are still there from the client on the disk. Is there a way for Logstash to go back and re-read this data? It seems the rsyslog to logstash communication is only like a "live" update? I fixed the index issue and I'd like to recover the missing data. Would like to know for future problems if any sync gets interrupted.
As for the index issue, the example we copied used a monthly index like YYYY-MM which filled up. I've changed it to YYYY-MM-DD
Thanks!