on the opensearch dashboard
create rollover+delete policy
index mgmt / state mgmt policies / create policy logs-policy ism templates / index patterns: logs-*
note without "numeric_detection": true, as this sometimes mistaken HEX with fields and therefore prevents some logs to be sent e.g.
"type":"mapper_parsing_exception","reason":"failed to parse field [tcp.tcp_flags_ts] of type [long] in document with id '-2FDFo0Bo-jsbY2JzrAf'. Preview of field's value: '1f'
create an index template
index mgmt / templates / create template
logs-template
data streams
logs-*
shards HOW MANY NODES
replicas 1
sample index mapping (see elastic-mgmt-mapping for details)
and search pattern
need to push some data first
stack mgmt / index patterns
logs-*
@timestamp
https://opensearch.org/docs/latest/dashboards/im-dashboards/index-management/
https://www.elastic.co/guide/en/elasticsearch/reference/7.17/number.html