Curator instead of ILM to delete old indices

Bruceclegg · February 12, 2021, 9:45pm

I have been unable to use ILM to manage my indices. The developers have the index names hardcoded in their code and don't want to change the index names.

I attempted to use curator and was only partially successful. It appeared to delete the old index, but it also knocked the web interface down. I had to restart kibana to get the browser interface back up AND the job deleted the index patterns. Can someone tell me where I went wrong and what I need to do to fix this?

[root@ELK curator]# cat action.yml
actions:
1:
action: delete_indices
description: >-
Delete indices older than 30 days (based on creation date).
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: age
source: creation_date
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 30

[root@ELK curator]# cat config.yml
client:
hosts:
- 10.X.X.X
port: 9200
url_prefix:
use_ssl: False
certificate:
client_cert: /etc/elasticsearch/config/certs/elk/elk.crt
client_key: /etc/elasticsearch/config/certs/elk/elk.key
ssl_no_validate: False
http_auth: kibana:
timeout: 30
master_only: False

logging:
loglevel: INFO
logfile: /var/log/curator/curator_log
logformat: default
blacklist: ['elasticsearch', 'urllib3']

Logging from dry-run:
2021-02-12 15:31:24,750 INFO Preparing Action ID: 1, "delete_indices"
2021-02-12 15:31:24,752 INFO Creating client object and testing connection
2021-02-12 15:31:24,758 WARNING Use of "http_auth" is deprecated. Please use "username" and "password" instead.
2021-02-12 15:31:24,758 INFO Instantiating client object
2021-02-12 15:31:24,760 INFO Testing client connectivity
2021-02-12 15:31:24,788 INFO Successfully created Elasticsearch client object with provided settings
2021-02-12 15:31:24,794 INFO Trying Action ID: 1, "delete_indices": Delete indices older than 30 days (based on creation date).
2021-02-12 15:31:24,982 INFO DRY-RUN MODE. No changes will be made.
2021-02-12 15:31:24,982 INFO (CLOSED) indices may be shown that may not be acted on by action "delete_indices".
2021-02-12 15:31:24,982 INFO DRY-RUN: delete_indices: .kibana6_7 with arguments: {}
2021-02-12 15:31:24,983 INFO DRY-RUN: delete_indices: .kibana6_8 with arguments: {}
2021-02-12 15:31:24,983 INFO DRY-RUN: delete_indices: .kibana_task_manager with arguments: {}
2021-02-12 15:31:24,983 INFO DRY-RUN: delete_indices: .reporting-2021.01.03 with arguments: {}
2021-02-12 15:31:24,983 INFO DRY-RUN: delete_indices: .tasks with arguments: {}
2021-02-12 15:31:24,983 INFO DRY-RUN: delete_indices: aapc.log-local with arguments: {}
2021-02-12 15:31:24,984 INFO DRY-RUN: delete_indices: banking-development- with arguments: {}
2021-02-12 15:31:24,984 INFO Action ID: 1, "delete_indices" completed.
2021-02-12 15:31:24,985 INFO Job completed.

Logs from NOT dry-run:

2021-02-12 15:41:44,830 INFO Preparing Action ID: 1, "delete_indices"
2021-02-12 15:41:44,831 INFO Creating client object and testing connection
2021-02-12 15:41:44,836 WARNING Use of "http_auth" is deprecated. Please use "username" and "password" instead.
2021-02-12 15:41:44,837 INFO Instantiating client object
2021-02-12 15:41:44,838 INFO Testing client connectivity
2021-02-12 15:41:44,847 INFO Successfully created Elasticsearch client object with provided settings
2021-02-12 15:41:44,853 INFO Trying Action ID: 1, "delete_indices": Delete indices older than 30 days (based on creation date).
2021-02-12 15:41:44,998 INFO Deleting 7 selected indices: ['.kibana6_8', 'aapc.log-local', '.kibana_task_manager', '.tasks', '.kibana6_7', 'banking-development-', '.reporting-2021.01.03']
2021-02-12 15:41:44,999 INFO ---deleting index .kibana6_8
2021-02-12 15:41:44,999 INFO ---deleting index aapc.log-local
2021-02-12 15:41:44,999 INFO ---deleting index .kibana_task_manager
2021-02-12 15:41:44,999 INFO ---deleting index .tasks
2021-02-12 15:41:45,000 INFO ---deleting index .kibana6_7
2021-02-12 15:41:45,000 INFO ---deleting index banking-development-
2021-02-12 15:41:45,000 INFO ---deleting index .reporting-2021.01.03
2021-02-12 15:41:45,802 INFO Action ID: 1, "delete_indices" completed.
2021-02-12 15:41:45,803 INFO Job completed.

I was expecting the aapc.log-local and the banking-development index to be deleted - the other indexes are all less than 30 days old. I am surmising I should not have deleted the other 5 indices. How can I modify curator to skip those?

theuntergeek · February 12, 2021, 10:29pm

Sure thing!

This is your only filter, an age filter which checks the creation_date of every index passed into it. Since you're not also filtering for named indices, this filter will identify every index older than 30 days, including system indices, like .kibana ones.

You should insert a pattern filter and do kind: regex to use logical OR, like the documentation suggests:

- filtertype: pattern
  kind: regex
  value: '^banking-development|^aapc.log-local'

If you put this above (or after, but it saves the creation date calculation if you do this part before the age filter) your existing filter, only the banking-development and aapc.log-local indices would have been deleted.

Bruceclegg · February 17, 2021, 3:37pm

Thank You! I have set this up and it looks good in --dry-run.

system · March 17, 2021, 3:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove old index automatically Elasticsearch curator , ilm-index-lifecycle-management	3	1401	July 28, 2020
Deleting Indexes Elasticsearch	3	320	May 7, 2020
Curator no longer working. I think it's related to a failed ILM setup Elasticsearch	3	785	September 5, 2019
Curator not can find indecies Elasticsearch curator	7	497	June 13, 2023
Using Curator Elasticsearch	6	724	April 22, 2020

Curator instead of ILM to delete old indices

Related Topics