Discuss the Elastic Stack

Testing Elastic Stack and winlogbeat / query exceeds 1000 shards

Elastic Stack Elasticsearch

jkuang (Jimmy Kuang) March 10, 2017, 3:56pm 22

I figured out why:

The ignore_older is only set for the Application log in the config you provided. Use the following if you would like a 72h set for each event log.

  event_logs:
    - name: Application
      ignore_older: 72h 
    - name: Security
      ignore_older: 72h
    - name: System
      ignore_older: 72h

Winlogbeat many shards

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.