Page 2 of 2
Re: Daily indexs are rolling over now around 6 pm
Posted: Wed Sep 02, 2015 10:10 am
by jolson
Do you have any apache logs coming in? If so, they may be running against the following filter:
Code: Select all
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
Note that this filter explicitly sets the date as opposed to letting Logstash handle it. This could easily account for the discrepancy you've been noticing.
Re: Daily indexs are rolling over now around 6 pm
Posted: Wed Sep 02, 2015 10:16 am
by krobertson71
We do not have any Apache logs coming in at this time. This filter was in place by default when we installed Nagios Log Server. So I am assuming you guys put that there.
Re: Daily indexs are rolling over now around 6 pm
Posted: Wed Sep 02, 2015 3:12 pm
by jolson
If we could move this thread over to a ticket, this is something I'd like to take a look at myself. Any chance you'd like to mail
[email protected] and reference this thread? If you're out of tickets/don't want to use one, we can continue troubleshooting in this thread.
Re: Daily indexs are rolling over now around 6 pm
Posted: Wed Sep 02, 2015 4:48 pm
by krobertson71
Sounds good to me. I haven't had to use one yet so should be good.
Re: Daily indexs are rolling over now around 6 pm
Posted: Wed Sep 02, 2015 4:52 pm
by hsmith
krobertson71 wrote:Sounds good to me. I haven't had to use one yet so should be good.
I'm going to go ahead and lock this thread up since the issue is going to be moved to a ticket. Keep the troubleshooting in one location
