Can filebeats access the lifecycle policies on Elasticsearch?

pk.241011 · May 25, 2021, 3:19am

In case of logstash I was able to specify an existing policy name in the Elasticsearch output.
Something like:

output
{
        elasticsearch
        {
                hosts => "http://XXXXXXXXXXX"
                ilm_enabled => "true"
                ilm_rollover_alias => "log-device"
                ilm_pattern => "000001"
                ilm_policy => "my_policy"
                user => 'YYYYYYYY'
                password => 'ZZZZZZZZ'
        }
}

However in case of filebeat the documentation says:

setup.ilm.policy_name : The name to use for the lifecycle policy. The default is filebeat.

So can I put my_policy here and expect that it will work? Something like this:

setup.ilm.policy_name : my_policy

If not I will have to write my own JSON based lifecycle policy to reduce the number days the indices are retained to one week. Is there any other way to achieve the same in a easier way?

It is super useful to manage the number of days the indices are retained at a central place like Kibana console. The deplyoments of the filebeat can be across hundreds of PC. And it will be a nightmare to change the JSON files manually.

I hope my understanding of the situation is wrong and there are better ways to manage the number of days I retain the indices created by filebeat.

warkolm · May 25, 2021, 3:32am

If that policy exists, yes,

pk.241011 · May 25, 2021, 3:34am

Oh that is super nice. Maybe the documentation can be updated as

warkolm · May 25, 2021, 3:35am

Not sure I follow, it still needs to exist in Elasticsearch.

system · June 22, 2021, 5:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.