Multiple Indices

[gromit6891]

Within config.php, is it possible to create another section to query a logstash index of a different name?
I tried adding one but it doesn't come up as an option when creating a new Search.

Example:

# Configuration for the logstash index that 411 queries.
    'logstash' => [
        'hosts' => ['http://192.168.0.11:9200'],
        'index_hosts' => [],
        'index' => 'logstash-apache',
        'date_based' => true,
        'date_field' => '@timestamp',
        'src_url' => null,
    ],
     # Syslog configuration
    'syslog' => [
        'hosts' => ['http://192.168.0.11:9200'],
        'index_hosts' => [],
        'index' => 'syslog',
        'date_based' => true,
        'date_field' => '@timestamp',
        'src_url' => null,
    ],
];

[kiwiz]

Unfortunately, doing this is a bit tricky at the moment:

1. Create the new Search class in phplib/Search/.
2. Add the new class to the type array in phplib/Search.php.

For your particular case, you can use the following two commands:

1. sed 's/Logstash/Syslog/g; s/logstash/syslog/g' phplib/Search/Logstash.php > phplib/Search/Syslog.php;
2. sed -i -E 's/(\$TYPES = \[.+?)(];)/\1, '\'Syslog_Search\''\2/' phplib/Search.php

Let me know if that works for you!

[gromit6891]

Great thanks!
Just one issue left now; when creating a search using Syslog as a source the 'Fields' & 'Description' fields are missing/not rendered. These seem to be referenced by /var/www/411/htdocs/assets/templates/searches/search/elasticsearch/b.html
Is there something more that needs to be done?

[kiwiz]

Whoops, forgot one step. Since this is an Elasticsearch search, you have to register it as such on the frontend. Add the following line to this file:
SearchView.registerSubclass('syslog', ElasticsearchSearchView);

Or apply this diff:

diff --git a/htdocs/assets/js/views/searches/search/load.js b/htdocs/assets/js/views/searches/search/load.js
index 50e61fb..b6db825 100644
--- a/htdocs/assets/js/views/searches/search/load.js
+++ b/htdocs/assets/js/views/searches/search/load.js
@@ -20,2 +20,3 @@ define(function(require) {
     SearchView.registerSubclass('logstash', ElasticsearchSearchView);
+    SearchView.registerSubclass('syslog', ElasticsearchSearchView);
     SearchView.registerSubclass('alert', ElasticsearchSearchView);

[gromit6891]

I made the change to register the new subclass in load.js, but still not seeing the 'Fields' & 'Description' fields. Running the Test function does retrieve valid data though.

[kiwiz]

Run grunt prod to rebuild assets and you should be (hopefully) good to go!

[gromit6891]

That did the trick!
Again, great project so many features.