How do I re-index when I’m using logstash to apply an index template?

Question

Im running version 5.3.0 of the ELK stack

This is the output section of my logstash config:

output {
  if [type] == "syslog" {
    elasticsearch {
      hosts => myserver
      index => "logstash-syslog-%{+YYYY-MM-dd}"
      template_name => "MyTemplateIWantToEdit" 
      template => "/etc/my/template/blah"
      template_overwrite => true
    }
  }

I do this to apply my templates to indices logstash is forwarding to and it works great.

But now I want to edit one of my templates. What will happen when I modify a template I have logstash applying to an index? Will that cause Elasticsearch to reindex the whole index or create a new index?

I was almost tempted to just edit a template and restart logstash to see what happens, but I don't wanna break anything!

Also, I'm using logstash to create new indexes via "logstash-syslog-%{+YYYY-MM-dd}". Not sure how this would impact re-indexing

score 1 · Accepted Answer · answered May 27 '17 at 09:12

1

Elastic doesn't reindex anything automatically. If you change mapping, then only new documents will be processed with it. Elastic support reindexing via Reindex Api but still it will create new index.

answered May 27 '17 at 09:12

Retardust

294
1
11

1

Minor comment: If you change a template, that change will only be applied when you create a new index. So if you have daily indices, the change will only affect tomorrow's index and onwards. Today and before you'll need to reindex – xeraa May 27 '17 at 10:37

How do I re-index when I’m using logstash to apply an index template?

1 Answers1