Hi,
I'm using the following software versions which I'm not allowed to
upgrade, on RedHat:
graylog2 0.20.1
elasticsearch 0.90.10
Graylog gets messages from logstash.
I need to set a default TTL for all incoming messages, but I'm having
trouble with this.
Most online resources simply suggest this:
curl -XPUT "http://localhost:9200/graylog2/message/_mapping";
-d'{"message": {"_ttl" : { "enabled" : true, "default" : "30d" }}}'
But, as far as I understand, this only adds the default _ttl for an
index called "graylog2".
In my configuration instead (which I guess is a default) graylog cycles
through many indices, calling them "graylog2_1", graylog2_2", and so on.
So I cannot just set _ttl for existing indices: I also need to define a
default value for all new indices that graylog will create.
I tried with templates: I created this file as
templates/graylog2_ttl_template.json inside /etc/elasticsearch, which is
where elasticsearch configuration can be found:
{
"graylog2_ttl_template" : {
"template" : "graylog2*",
"mappings" : {
"_default_" : {
"_ttl" : {
"enabled" : true,
"default" : "180d"
}
}
"message" : {
"_ttl" : {
"enabled" : true,
"default" : "180d"
}
}
}
}
}
(I used both "message" and "_default_" just to be sure)
Then I restarted elasticsearch, and in graylog GUI I manually cycled the
deflector, letting it create a new index. But the mapping for the
message type in the new index is still the old one, which has _ttl
enabled but with no default duration.
What am I missing? Why isn't the template used?
What is the right way to accomplish this?
Thank you for any info.
--
01
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
