What are the default rollover settings? How to identify rollover settings in Logstash?

shankarps · May 9, 2018, 11:16pm

I started working on an existing ELK installation. I see that it has rollover option daily. The logs are written to the logstash-* indices, rolling over daily, like this index name - logstash-2018.05.09.

I am trying to identify where this setting is applied.
I can see that it is not applied in the conf file. This is the output conf -

output {
elasticsearch { hosts => "localhost:9200" }
}

Notice that the index is not specified. I can see that the indexes do not have an alias either. There is no alias in the template "logstash-*".

I also checked the curator and cannot see any rollover settings there.

Is this rollover happening by default? What steps can i take to troubleshoot and identify the rollover settings in this ELK installation? Thanks.

Badger · May 10, 2018, 12:26am

That is the default for the index option to the elasticsearch output if you do not supply one.

Christian_Dahlqvist · May 10, 2018, 6:21am

This is not using the rollover feature in Elasticsearch. Instead the index name is created in Logstash based on the value of the @timestamp field, before they are sent to Elasticsearch.

system · June 7, 2018, 6:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.