Hello everyone,
I’m coming to you to make sure that my request is possible or not.
Currently, I got a Hot-Warm configuration allowing me to use curator to switch all my logs from a single index to a second nodes once a delay of 7 days has been reached, thus going from hot to warm and stored on a storage server but remaining accessible.
After much research, I wonder if it is possible to apply different retention rules for different types of servers.
A simple way to identify them is by their names, ending in -dev and -int respectively. The rest are the servers in operation.
I thought it first too, but but since it is my server logs that I want to process in a different way.
I think I’ve found the way to do it.
To be able to keep my log server of all xx-dev during x days,
the log server of xxx-test during n days, etc.
I can create a collector for “dev” and edit the “index” value (Configure the Elasticsearch output | Filebeat Reference [7.11] | Elastic)
That way, I create a new index set to match with the previous value.
And I would only have to edit the action file and configure it.
I don’t know if I’m clear with this explanation, but i finally found this way to my problem.
Oh, great.
If more than one collector is an option and if it fits your needs you sure must give it a try.
You could even consider putting here, in a more technical way, how you’re thinking on doing that, so it can be used as a solution to other users.
