In case of logstash I was able to specify an existing policy name in the Elasticsearch output.
Something like:
output
{
elasticsearch
{
hosts => "http://XXXXXXXXXXX"
ilm_enabled => "true"
ilm_rollover_alias => "log-device"
ilm_pattern => "000001"
ilm_policy => "my_policy"
user => 'YYYYYYYY'
password => 'ZZZZZZZZ'
}
}
However in case of filebeat the documentation says:
setup.ilm.policy_name : The name to use for the lifecycle policy. The default is filebeat.
So can I put my_policy here and expect that it will work? Something like this:
setup.ilm.policy_name : my_policy
If not I will have to write my own JSON based lifecycle policy to reduce the number days the indices are retained to one week. Is there any other way to achieve the same in a easier way?
It is super useful to manage the number of days the indices are retained at a central place like Kibana console. The deplyoments of the filebeat can be across hundreds of PC. And it will be a nightmare to change the JSON files manually.
I hope my understanding of the situation is wrong and there are better ways to manage the number of days I retain the indices created by filebeat.