Hello all, My current graylog config:
rotation_strategy = count elasticsearch_max_docs_per_index = 20000000 elasticsearch_max_number_of_indices = 20 elasticsearch_index_prefix = graylog2 I want to delete certain log entries from ES, for example all entries that are older than 15 days and come from testserver (i.e. have a field named "source" with value "testserver"). My question: is it possible to do this more elegantly without using ES delete by query API? As I understand, the rotated indexes are additionally blocked for writing, which makes it even more ugly - delete by query doesn't work at all and I need to unblock them first. For example, is it possible to route specific messages (by using different input/stream) to a separate index (with daily rotation) and then to delete just the necessary indexes. I use logstash as a parser too. Thanks in advance -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
