Right now I am working with indexes that are created daily using the following output in my config file:
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-events-%{+YYYY.MM.dd}"
}
}
This is fine, but I was wondering if it is possible to have it make new indexes every week.
Sure, use e.g. YYYY.ww as the timestamp format string. See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#sprintf for details.
A small note. Using xxxx.ww will be more preferable compared to YYYY.ww. YYYY.ww doesn't handle the rolling of year gracefully. So you could end up with 2017.52 in the first week of 2017. See https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/541#issuecomment-270923437
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.