Hi, in logstash I'm currently using the following pattern...
index => "some-index-name-here_%{+YYYY.MM}"
I was thinking that I should base the YYYY.MM by parsing the actual log line time instead of using the calculated YYYY.MM from Logstash. Like this if I want to re-index a file it would go into the correct index.
But the issue is that for every other app NOT necessarily the ones I control, the time format is different and thus the pipeline will become cumbersome.
Just wondering how others are approaching this...