I think i have to split up my index, because i was seeing errors about there being too many fields. I was collecting all of security, system, application, and a bunch of other windows logs into a single index, and i think the fields was well over 1000.
@andrewkroh your solution to topic:How to separate Winlogbeat logs to different ES indexes . was excellent and got me started, however i have a following issue now.
Here is my winlogbeat.yml regarding output.elasticsearch
output.elasticsearch:
#Array of hosts to connect to.
hosts: ["IP:9200"]
indices:
- index: "winlogbeat-security-%{[beat.version]}-%{+yyyy.MM.dd}"
when.equals:
log_name: "Security"
- index: "winlogbeat-application-%{[beat.version]}-%{+yyyy.MM.dd}"
when.equals:
log_name: "Application"
- index: "winlogbeat-system-%{[beat.version]}-%{+yyyy.MM.dd}"
when.equals:
log_name: "System"
In Kibana i have setup index patterns for;
- winlogbeat-* (i need this one to catch everything other than the below)
- winlogbeat-security-*
- winlogbeat-application-*
- winlogbeat-system-*
My issue is obviously that winlogbeat-* matches everything. I figure i can do winlogbeat-6.3.0-* but wondering if this is the best way to "catch everything else".
Setting aside all of the above however, i am still seeking guidance if my splitting strategy above is even a good one, because now i am struggling to create visuals across multiple indicies.