and I was expecting ES (ver 7) makes index something like logstash-asterisk-2019.09.02.15 for 3pm.
but when I look at kibana hour section just starts from 01, 02, and 03.
logstash-asterisk-2019.09.02.01
logstash-asterisk-2019.09.02.02
logstash-asterisk-2019.09.02.03
Is this how it is designed or something wrong?
I was expecting this.
logstash-asterisk-2019.09.02.15 for 3pm.
logstash-asterisk-2019.09.02.16 for 4pm.
logstash-asterisk-2019.09.02.17 for 5pm.
Can you show a document together with the name of the index it ended up in? Be aware that this is based on the @timestamp field, which is in UTC.
As a side note - how come you are using hourly indices? Do you have an extreme amount of data coming in or a very short retention period? If not, be aware that this generally results in a lot of indices and shards which can cause performance problems down the line. Have a look at this blog post for guidance.
Ah.. It is UTC. It makes sense. Accidentally I started hourly index at 1 am in UTC so it started from 01.
We are collecting kamailio log. It creates 60GB every hour so we can keep only last a few hours log.
Thanks for your help.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.