Our organization creates new indexes almost daily for one-off/one-shot logs from different customers we work with. This leads to a lot of overhead around creating inputs.conf, index.conf stanzas, the rare props.conf stanza for custom sourcetypes/logs and especially filesystem level access like creating the new batch directories on the forwarder.
We are automating all of this but still have a few things that seem to need filesystem access. We are trying to avoid this type of access but can't seem to find other solutions for the following:
- Moving the config files updated by the API from .../system/local/ to .../master-apps/_cluster/local on the Master.
- Creating the batch directories on the forwarder
- Pushing the log files to the batch directories on the forwarder
Is there any way to avoid these items? Is there a completely different way to do this considering the constant index/inputs/props creation requirements for various types of one-off logs?