multiple indexes per day possible?

[_asp_]

Hi,

during developement of logstash configuration and grok parsing, sometimes it is necessary for us to delete indexes to input the data again. Especially it is needed if we had some mistakes in type parsing.

Since we have multiple developement streams (developing on multiple logs in parallel) it would be nice if it is possible to create multiple indexes and to tell logstash to put the data into a custom index container. Routing may be of a field which is set during the processing of the message.
Doing so would also enable us to have different retention times for different logs.

How can this be done?

Regards, Andreas

[hsmith]

Right now we don't have a way to separate what logs go in to which index. This is something that may be coming along as a feature in a major release - but at the moment we use a daily index.

[paylocity]

Just wanted to chime in on this - my users are clamoring for this exact feature.

+1 on getting this into the next major release, if at all possible!

[rkennedy]

I filed a feature request for this, #9424. I think it would be really useful, not only for deleting, but also for user granularity.