Hello Community,
I wanted to set index prefix with something like graylog_alert_MM_DD_YYYY for everyday since it rotates but until now i have only achieved graylog_alert_0, next day graylog_alert_1.
I want to do something like for the index prefix to be graylog_alert_09_27_2023.
Is there any way i can do this?
Thank you in advance 
This is not possible as the index names are automatically generated and automatically increment using a number. For what it is worth, indexes themselves are not mean to be unique to a specific date and it cannot be guaranteed they would only contain logs from that date.
In Graylog, the index name is largely abstracted away and users of graylog don’t even need to see or be aware of what index a log message is in. Did you have a specific reason for wanting to design it this way? Feedback is always welcome so if you have any ideas let us know!
One of the primary reason for separating the index with date name is for Log Lifecycle Management. I would like to store the logs of x days for a particular index after which it can be removed. I understand graylog take care of it, however, I would also like to introduce some of my own control over index management. for example if there is an index-set named graylog_alerts and inside that set there are indices which begins from graylog_alerts_0 to graylog_alerts_30. So in this i donot know which index belongs to which date even if i set rotation strategy as P1D. The next day the index would be created and later if index strategy is kept to archive… it might be possible to restore a particular index set for further investigation and DFIR.
Are there any workarounds you have heard of for this kind of problems?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
