Watching Logstash indexes

joelshprentz · June 2, 2015, 7:57pm

The watch example at https://www.elastic.co/guide/en/watcher/current/api-rest.html#api-rest-put-watch shows how to specify searching all Logstash indexes:

"indices" : [
  "logstash*"
],

The same example contains a time filter that limits the search to the five minutes before the schedule search time:

"filter": {
  "range": {
    "@timestamp" : {
      "from": "{{ctx.trigger.scheduled_time}}||-5m",
      "to": "{{ctx.trigger.triggered_time}}"
   }
  }
}

We keep months of daily Logstash indexes, but only today's index (and occasionaly yesterday's index) can contain events from the preceding five minutes.

Does the Watcher limit its search to the time relevant Logstash indexes? Or is there some other way to specify which Logstash indexes to search?

--
Joel Shprentz

GaelTadh · June 2, 2015, 9:33pm

Hi Joel,
Right now watcher doesn't have the ability to limit the searches to indices by time. You may be able to solve this problem using an index alias to point at the last two days indices and then use the alias in your watch. See https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-aliases.html
You can also use curator https://www.elastic.co/guide/en/elasticsearch/client/curator/current/index.html to manage this alias.
Brian

Topic		Replies	Views
Easy to hit Seach Queue number in setting for watching a time series log Elasticsearch elastic-stack-alerting	6	1821	July 6, 2017
Can I dynamically specify indices to search? Elasticsearch elastic-stack-alerting	3	662	January 12, 2017
Timing issues with Watcher Elasticsearch elastic-stack-alerting	4	1108	September 1, 2017
Elasticsearch indexes - watcher notifications Elasticsearch elastic-stack-alerting	9	1574	September 15, 2017
Watcher / Alerting: Time issues with frequent watch Elasticsearch	3	2072	January 11, 2017

Watching Logstash indexes

Related topics