Applying ILM on custom index

hjazz6 · June 1, 2023, 8:40am

Hi,

I am using filebeat 8.3.3 with several inputs and writing them to the same ES 8.3.3. To separate the different inputs on ES, I have the following in my filebeat.yml.

output.elasticsearch:
  indices:
    - index: "filebeat-%{[agent.version]}-inputA-%{+yyyy.MM.dd}"
      when.equals:
        input.type: "log"
    - index: "filebeat-%{[agent.version]}-inputB-%{+yyyy.MM.dd}"
      when.equals:
        input.type: "filestream"

I now have these indices created daily, but ILM is not applied on them, so they can grow to 1-2TB per day.

I've read that ILM doesn't work on custom indices. Is there any workaround to this so that I can apply ILM on these 2 indices and have them be rotated every 50GB and deleted after 7 days?

Thank you.

Wave · June 5, 2023, 8:06pm

Hi @hjazz6,

ILM supports custom indices but you need to use an alias and often you have to bootstrap the index. See here for the following documentation.

warkolm · June 6, 2023, 12:25am

Also FWIW there's no value in using %{+yyyy.MM.dd} in your index names if you are using ILM as variables won't be used when things are rolled over.

hjazz6 · June 6, 2023, 7:53am

Thanks, I've removed the date from the index names.

Topic		Replies	Views
ILM with custom index names Elasticsearch ilm-index-lifecycle-management	4	844	June 23, 2020
Question about ILM Elasticsearch ilm-index-lifecycle-management	7	618	October 19, 2020
ILM for each module fileset Beats ilm-index-lifecycle-management , filebeat	3	471	October 2, 2020
ILM using custom Logstash indices Elasticsearch ilm-index-lifecycle-management	2	399	May 4, 2021
Custom index names with an ILM policy Beats filebeat , metricbeat , auditbeat	5	1417	August 24, 2020

Applying ILM on custom index

Related topics