Ok, seems I resolved the issue:
In short: You have to use the default output index in logstash:
output {
elasticsearch {
host => "localhost"
protocol => "http"
}
}
in ES this results in the index logstash-YYYY.MM.DD
Since I try to deal with syslogs, I thought it was a good idea to create a
dedicated index.
output {
if [type] == "syslog" {
elasticsearch {
host => "localhost"
index => "syslog-%{+YYYY.MM.dd}"
protocol => "http"
}
} else {
elasticsearch {
host => "localhost"
protocol => "http"
}
}
The thing is: Now the autmatic mapping feature of logstash (described here
http://logstash.net/docs/1.4.2/filters/geoip) is not taken into account.
So, it may be possible to manually create a mapping template (see
http://logstash.net/docs/1.4.2/filters/geoip ... manage_template /
template) in the logstash output config.
Or you can stick to the default output index of logstash.
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/d0cda794-a6cd-4f45-bf46-38cf80967c74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
