I’m a newbie on Graylog and I could use a little help. I currently have 3 GELF entries to read DHCP logs, DC logs and Workstation logs, but I have a problem with ElasticSearch which tells me that the indexes have been exceeded:
ElasticsearchException[Elasticsearch exception [type=illegal_argument_exception, reason=Limit of total fields [1000] has been exceeded]]
I’ve searched for I don’t know how many hours on the forum but no solution, so if you have any ideas I’d love to hear from you!
An index should have no more than 1k distinct field names. So what you will want to do is create additional indices, then create different streams that are attached to each of those indices. Finally using either stream rules or pipelines router those messages to that stream. One for dhcp logs, one for domain controller etc.
wow, I literally just started Graylog and everything is a little fuzzy how to create additional indexes? but also and especially how to bring my entry in this index that I would have created.
Sorry, this may be a silly question, but I really don’t know much about it.
