Reindex a subset of data to a different index

kernelpanic · June 16, 2020, 4:29pm

Hello all, we're using Elasticsearch to index Windows event logs and keeping them for 6 months; what I would like to do is reindex a subset of data such as:

user creation/deletion events
group creation/deletion events
interactive user logon events

...to another index that will be kept for longer. I'd like to do this at the same time as events are going into the main Windows event log index but as far as I can tell you can't write the same data to different indexes simultaneously.

Can anyone tell me what my options are?

Thanks.

Badger · June 16, 2020, 4:39pm

You can have multiple elasticsearch outputs in a single pipeline, so you can write data to different indexes simultaneously. The outputs can be surrounded with conditionals so that only a subset of data is written to one of the indexes.

kernelpanic · June 16, 2020, 5:00pm

Thankyou Badger I wasn't aware you could have conditionals in the output, will look into it.

system · July 14, 2020, 5:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.