Hello Alberto, I'm trying to use the same setup in our infrastructure as well. Different retention based on the input it was received from. For example, i'm receiving messages on two input : syslog and GELF. I want syslog to be kept for 3 months, GELF for 1 month. I'm still working on the final setup, but here's what i found until now and what i can recommend you start doing :set up two graylog server instances on the same machine, and setup a different input for each. For example instance 1 will have input for syslog, and instance 2 will have input for GELF. Both can write to the same elasticsearch cluster, and have different index prefixes. And both can have different retention settings, IF you run both servers as master (found this our recently). If you have 2 graylog server instance running, but clustered - one master, one .. not master :), only the master retention settings will be applied to the entire graylog cluster. What i'm trying to finalize now, is to have 2 graylog masters on the same machine, connected to the same elasticsearch and mongo db instance - but on different databases so they don't see eachother and switch to cluster mode (only one master). Basically that's the only workaround i found possible. Tried setting TTLs at elasticsearch level per cluster but could not route messages to the indexes i wanted, tried sending the GELF messages with specific TTL, but GELF format does not support TTL field and will consider it as an aditional string field.
On Tuesday, April 28, 2015 at 11:14:16 PM UTC+3, Alberto Frosi wrote: > > Hi all, > I would for a set of indexes, have a different retention only for a > special Input. > In my case,I would only for a Input a retention policy almost 6 months > Is it possible? > Thanks in advance > > Alberto > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
