Hello everyone, the question may be stupid, but I want to clarify: aliases in elasticsearch are essentially like links to one or more indexes or data streams, but recently during the creation of the ILM, I saw an error - "index.lifecycle.rollover_alias" is empty or not defined, so, this "index.lifecycle.rollover_alias" is the same as the usual "alias" or something else?
Take a look at this part of the docs. It relates to the read alias once the underlying index has been rolled over.
The only stupid question is the one that is unasked.
Such a question, I read the manual and I seem to have done everything right, but I still get an error for indices, I use the vazuh template and add the following to it:
{
"order": 0,
"index_patterns": [
"wazuh-alerts-4.x-*",
"wazuh-archives-4.x-*"
],
"settings": {
"index.refresh_interval": "5s",
"index.number_of_shards": "3",
"index.number_of_replicas": "0",
"index.auto_expand_replicas": "0-1",
"index.lifecycle.name": "wazuh_ilm",
"index.lifecycle.rollover_alias": "wazuh-alerts-4.x",
"index.mapping.total_fields.limit": 10000,
then restart filebeat
My wazuh_ilm:
PUT _ilm/policy/wazuh_ilm
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"set_priority": {
"priority": 100
},
"rollover": {
"max_age": "1d"
}
}
},
"warm": {
"min_age": "5d",
"actions": {
"set_priority": {
"priority": 50
}
}
},
"delete": {
"min_age": "7d",
"actions": {
"delete": {
"delete_searchable_snapshot": true
}
}
}
}
}
}
And after a while I get an error:
illegal_argument_exception: setting [index.lifecycle.rollover_alias] for index [wazuh-alerts-4.x-2022.11.02] is empty or not defined
I believe you need to create one index template per index pattern as two patterns can not share a rollover alias.
Closed as duplicate of