I've been searching the web for the last couple of hours trying to figure this out. I have a central ES server that consumes all my data. It sits in a private network. On a separate network I want to bring up another ES and give a clients access to it, so they can check some stats.
My questions:
What's the best way to feed the data to this new instance based on a query result that is specific to this client?
In the case of Logstash, why doesn't it go through all the indexes returning all documents that match my query?
Eg.:
"query": {
"bool": { "must": { "match": { "referrer": "clientsite.com" }}}
}
From my research, the new "Reindex from Remote" feature in ES 5.0 is the way of the future, but most internet articles point to Logstash using elasticsearch plugin as input and output method.
I tried that but it seems like logstash only produces a small amount of results and then quits. if I use only "match_all": {}" it seems to go through all my documents.
Here is my logstash.conf file:
input {
elasticsearch {
hosts => "192.168.0.1"
index => 'logstash-*'
query => '{ "query": { "bool": { "must": { "match": { "referrer": "clientsite.com" } } } } }'
scroll => "1m"
size => 1000
}
}
stdout {
codec => "rubydebug"
}
}
I also tried this query line, with no success:
query => '{ "query": { "bool": { "must": { "match_all": {} } , "filter": { "term": { "referrer": "uol.com.br" } } } }, "sort": [ "_doc" ] }'
