Reindex a subset of data to a different index

kernelpanic · June 16, 2020, 4:29pm

Hello all, we're using Elasticsearch to index Windows event logs and keeping them for 6 months; what I would like to do is reindex a subset of data such as:

user creation/deletion events
group creation/deletion events
interactive user logon events

...to another index that will be kept for longer. I'd like to do this at the same time as events are going into the main Windows event log index but as far as I can tell you can't write the same data to different indexes simultaneously.

Can anyone tell me what my options are?

Thanks.

Badger · June 16, 2020, 4:39pm

You can have multiple elasticsearch outputs in a single pipeline, so you can write data to different indexes simultaneously. The outputs can be surrounded with conditionals so that only a subset of data is written to one of the indexes.

kernelpanic · June 16, 2020, 5:00pm

Thankyou Badger I wasn't aware you could have conditionals in the output, will look into it.

system · July 14, 2020, 5:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Reindexing Data Logstash	3	546	September 6, 2019
Continuously copy specific documents to another index? Elasticsearch	9	1401	December 16, 2020
Duplicating Event To Multiple Indices Logstash	4	206	June 7, 2023
Extract a subset of an big Index Logstash	5	451	July 8, 2020
Is it possible to schedule a reindex which only indexes certain messages? Elasticsearch	2	567	May 25, 2020

Reindex a subset of data to a different index

Related topics