Applying ILM on custom index

hjazz6 · June 1, 2023, 8:40am

Hi,

I am using filebeat 8.3.3 with several inputs and writing them to the same ES 8.3.3. To separate the different inputs on ES, I have the following in my filebeat.yml.

output.elasticsearch:
  indices:
    - index: "filebeat-%{[agent.version]}-inputA-%{+yyyy.MM.dd}"
      when.equals:
        input.type: "log"
    - index: "filebeat-%{[agent.version]}-inputB-%{+yyyy.MM.dd}"
      when.equals:
        input.type: "filestream"

I now have these indices created daily, but ILM is not applied on them, so they can grow to 1-2TB per day.

I've read that ILM doesn't work on custom indices. Is there any workaround to this so that I can apply ILM on these 2 indices and have them be rotated every 50GB and deleted after 7 days?

Thank you.

Wave · June 5, 2023, 8:06pm

Hi @hjazz6,

ILM supports custom indices but you need to use an alias and often you have to bootstrap the index. See here for the following documentation.

warkolm · June 6, 2023, 12:25am

Also FWIW there's no value in using %{+yyyy.MM.dd} in your index names if you are using ILM as variables won't be used when things are rolled over.

hjazz6 · June 6, 2023, 7:53am

Thanks, I've removed the date from the index names.

system · July 4, 2023, 7:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.