Make search frontend aware of index name format string,

Description

The elasticsearch output allows the index name to be given as a format string. The default "logstash-%{+YYYY.MM.dd}" results naturally in indices named for the day of the docs/events they contain. However the search frontend doesn't limit searches to indices that match the format string, nor provide any way to explicitly include or exclude specific indices for a given search.

That said, it would be nice if the frontend could be made aware of the format string and provide some mechanism, perhaps automated, by which the scope of indices that given search would run against. This could provide a dramatic performance increase for common case searches which are often limited to a time range of hours or days especially on systems which have deep retention policy. Additionally this would allow elasticsearch to be used much more generally without fear of polluting the logstash search results with unrelated indices.

Activity

Show:
Jordan Sissel
August 21, 2012, 7:15 AM

Kibana is the future of logstash web and I think it is already aware of the default logstash index naming (by year/month/day) and further improvements are coming to that project as well.

Assignee

Jordan Sissel

Reporter

Dave Rawks

Labels

None

Affects versions

Configure