Index split

[ismailctest C]

Hi,

Is there any option to split index files?

Eg: We are getting the logs from 10 servers, one server logs to inject to new index file. Remaining all  to be injected to default index file.

[Miguel Casares]

Hello Ismail,

You can use the Split Index to accomplish this for the indices already indexed in your system. For instance:

POST /my-index-000001/_split/split-my-index-000001 { "settings": { "index.number_of_shards": 2 }

For the new logs, I would recommend editing the indexing pipeline:

/usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json  :

Then, you can create a filter based on the field on the Wazuh alerts. For instance

{ "date_index_name": { "if": "ctx.agent?.groups == 'groupa'", "field": "timestamp", "date_rounding": "d", "index_name_prefix": "{{fields.index_prefix}}groupa-", "index_name_format": "yyyy.MM.dd", "ignore_failure": true } },

Then, you need to reload the pipeline:

filebeat setup --pipelines

Once completed, you may need to create the new index pattern.

You may find more information here:

https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-split-index.html

https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ingest-node.html

https://documentation.wazuh.com/current/user-manual/elasticsearch/configure-indices.html

I hope that helps. Let me know if you need anything else.

Regards,

Miguel