Hi, not sure if Elasticsearch is the correct category. However I used the Dev Tools in Kibana to update the pre-created index template arcsight_logs_template, created by the ArcSight Module. I updated the number_of_replicas setting but when I looked to see if my setting was saved in the index template, now it only contains number_of_replicas setting, everything else + mappings is gone. Is there any way to restore the arcsight_logs_template? I do not use snapshots or have backup.
I moved the question to #beats:filebeat.
Probably there is somewhere on disk the template that was used initially? But I'm not a filebeat expert 
Another solution could be to start a local elasticsearch + filebeat with arcsight module and let it write the index template. Then GET _template/arcsight_logs_template and use it in the production cluster?
Hi, I have never used FileBeat. This is from the Logstash Module, so perhaps Logstash is the correct category. Anyone working with Logstash Modules on your side that can answer this?
I recreated the index template by copying the content in an existing index. However I had to remove the "syslog" type, and use _doc type". I found a bug report about "syslog" and I guess it will be fixed in the future.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.