Hi. We have some existing logstash logs in our elasticsearch cluster. Their pattern is logstash-imu-logs-*. We have a template for that pattern, but unfortunately it was missing the mapping for one of our fields. As the docs state, we can't retroactively apply changes we make to the logstash-imu-logs-* index template to our indices. So we want to reindex, but not clear on how to do that in that case. We've been looking at the documentation to reindex an existing index to a new index, but what about existing logs to a new index template? We thought perhaps we'd create a new template called logstash-imu-logs-reindexed-* with all the required mapping and settings, but now we don't know how to proceed from here.
Vanessa,
Depending on type of data you need to employ different strategies. Can you provide more information on the data
- Are indices append only? or does logstash updates existing log entries?
- Are you using time based indices? Key characteristic is logstash creates new indices daily/weekly/monthly and older indices do not get updated.
- If logstash updates docs, do log entries have the last updated timestamp which is updated by logstash at the time of update?
For typical append only and time based indices
- Update template so future indices will be created with correct mapping
- Take snapshot of old (non-updatable) indices
- Create a new empty index logstash-imu-logs-reindexed-XYZ for existing index logstash-imu-logs-XYZ. Assuming existing template pattern matches the new index name it will have revised mapping.
curl -XPUT http://localhost:9200/logstash-imu-logs-reindexed-XYZ - Use reindex API to reindex https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html
- Verify all data copied. Verify snapshot in step #2 has the old index.
- Drop the old index
- Create alias index logstash-imu-logs-XYZ for the index logstash-imu-logs-reindexed-XYZ
- Wait for the current index to roll over. Then follow same steps for this index.
Hi @Vinayak_Sapre - apologies for the very late reply. I was working on some other things. I should mention we are using Elastic Cloud.
- Yes, indices are append only
- We have one index per day
- n/a
We did do something similar to what you described, but found that not all of our indices got reindexed. We also noticed that there were fewer documents in the reindexed indices - but that's probably a separate issue where our Logstash trial and error generated duplicates. Do you know why not all indices would be reindexed? Do the steps you describe have to be done one index at a time?
Depending on how much your cluster can handle you can reindex multiple indices in parallel. See Elastic recommendation here Reindex API | Elasticsearch Guide [8.11] | Elastic
If your source has duplicates your destination should have duplicates too. Count should match. Count mismatch indicate error occurred while copying some documents or new documents got added to the source index after reindexing started. Check elasticsearch logs for reindexing errors.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.