Daily indexs are rolling over now around 6 pm

jolson · Post by **jolson** » Wed Sep 02, 2015 10:10 am

Do you have any apache logs coming in? If so, they may be running against the following filter:

    if [program] == 'apache_access' {
        grok {
            match => [ 'message', '%{COMBINEDAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]

Note that this filter explicitly sets the date as opposed to letting Logstash handle it. This could easily account for the discrepancy you've been noticing.

krobertson71 · Post by **krobertson71** » Wed Sep 02, 2015 10:16 am

We do not have any Apache logs coming in at this time. This filter was in place by default when we installed Nagios Log Server. So I am assuming you guys put that there.

jolson · Post by **jolson** » Wed Sep 02, 2015 3:12 pm

If we could move this thread over to a ticket, this is something I'd like to take a look at myself. Any chance you'd like to mail [email protected] and reference this thread? If you're out of tickets/don't want to use one, we can continue troubleshooting in this thread.

krobertson71 · Post by **krobertson71** » Wed Sep 02, 2015 4:48 pm

Sounds good to me. I haven't had to use one yet so should be good.

hsmith · Post by **hsmith** » Wed Sep 02, 2015 4:52 pm

krobertson71 wrote:Sounds good to me. I haven't had to use one yet so should be good.

I'm going to go ahead and lock this thread up since the issue is going to be moved to a ticket. Keep the troubleshooting in one location

Nagios Support Forum

Daily indexs are rolling over now around 6 pm

Re: Daily indexs are rolling over now around 6 pm

Re: Daily indexs are rolling over now around 6 pm

Re: Daily indexs are rolling over now around 6 pm

Re: Daily indexs are rolling over now around 6 pm

Re: Daily indexs are rolling over now around 6 pm