Following scenarion. We are migrating from an old Graylog to a new Graylog. Between the two we had to build another Graylog/Elastic cluster because the direct way was not possible. The versions are too far apart.
What we do now is to copy and index from old -> stage -> new. In the new we will reindex the copied index in its final destination. So far so good, this works perfectly.
The problem comes with the Graylog streams in the new cluster. They are not updated an I will not see any old data thru the stream. Our users have only access to the streams and they need to see the old data.
Is it possible to feed an elastic index into an input so the streams get updated?
the only option I can see is to update each document with the stream IDs it belongs too.
By far that is not an easy process - and along the way updating your Graylog/Elasticsearch it might be helpful todo the migration of your old Graylog to the new step-by-step and version to version taking your data with you.
I try now to dump and index _source field with elasticdump (https://www.npmjs.com/package/elasticdump) to a file and feed it into logstash.
Will let you know if this works
