By Date Indexes when using Elastic Ingest

tbernhardson · July 29, 2020, 4:47am

When using Logstash it's easy to tell the system to create indices by day (also then making it easy to delete old data). I've tried to figure out how to do the same thing when sending the beats data directly to Elasticsearch instead of through Logstash and havn't had any luck.
Can someone point me to documentation on how to do this?
I.E. Currently when using Elastic Ingest the indices are named auditbeat-7.6.2-2020.04.19-000001 (for example) with the date appearing to be when Elastic was started. I would like to create one index for each day, for all the different beats (auditbeat, metricbeat, filebeat, etc).

Thanks
Tim B

warkolm · July 29, 2020, 4:59am

Beats use ILM by default. The idea being you don't need to worry about daily indices, as it will manage the rollover for you.

The indices will rollover every 30 days, or when the size hits 50GB using ILM.

tbernhardson · July 29, 2020, 3:29pm

Ok, then I need to look into why ILM isn't working, because I have 4+ months of data taking up roughly a TB of data..

Thanks
Tim B

system · August 26, 2020, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.