Hi Jochen, thank you for your reply! From my perspective, your answer is kind of disturbing and irritating which is why I would be happy to discuss this further because I would like to understand the "why not". I am aware of Graylog's open source nature and the fact that developers work on this in their free time, so of course I have no right to claim certain features. No offence is intented in the following:
Some thoughts: 1. Maybe it is a feature that would require too many dev resources or it is an architectural issue that would require too many changes. While this would be sad, maybe only a small-scaled, basic solution could be realized (also see 2.)? Or maybe it's a candidate for a commercial feature? 2. Maybe it is a simple misunderstanding of the requirement. You talk about "concurrent and possibly incompatible" index schemes, however I am not sure how there could occur any incompatibility in retention times. My perspective/wish/understanding: I would simply like to be able to keep one large bunch of logs for X days and another, second bunch of distinctivly defined logs for Y (!=X) days, so no incompatibility (right?). I would be able to separate these two types e.g. based on inputs. From my understanding of the Graylog architecture, this would require two indices instead of one plus the required handling (deflectors etc.) with a retention strategy per index. Then, messages from one input could be routed into the first index and those from another input into the second index. I think many people could handle their environment with such a simple primary/secondary (master/slave, you-name-it,... simply 2 instead of 1) index scheme so there would be no need for a huge, work-intense solution to support a large arbitrary number of different indices. I think going from 1 index to 2 indices is much easier than going from 1 to many (correct me if I'm wrong). 3. Maybe you (not necessarily you in person, but the dev team in general) do not consider the feature as relevant/essential/desirable and too specialized from your perspective. The Graylog idea portal suggests otherwise, because the idea with the most votes (https://graylog.ideas.aha.io/ideas/GL2E-I-356) is exactly the demand for multiple retention times and it has been opened almost 1 year ago. In January, Matt confirmed its consideration in v2.0 btw, could you please comment on that? Thank you in advance for your respone. Best regards, tokred On Monday, April 18, 2016 at 5:20:24 PM UTC+2, Jochen Schalanda wrote: > > Hi tokred, > > support for multiple (concurrent and possibly incompatible) index schemes > and retention times is not included in Graylog 2.0.0 and currently isn't on > the roadmap in the mid-term. > > > Cheers, > Jochen > > On Friday, 15 April 2016 14:49:59 UTC+2, [email protected] wrote: >> >> Hi all, >> >> I really appreciate the recent developments of Graylog towards 2.0 and >> big applause for the efforts of the developers! >> >> However, I am still desperately hoping/waiting for a features which has >> been number 1 on the idea portal for almost a year (!) - multiple indices >> with different retention times. From my understanding, the archiving >> feature does not cover this, right? >> >> Kindly ask for any plans or alternatives. >> >> >> Best regards, >> tokred >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/dd610552-2301-454d-addf-525b8b9a1716%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
