Curator - Is it possible to string multiple pattern filters into a single action

bwgriffith · November 8, 2016, 11:13am

I was wondering if it was possible to string multiple pattern type matches into a single curator action. Mainly trying to minimize the number of individual actions.

An example of what I'm trying to do, but it does not return any matches is:

actions:
  1:
    action: delete_indices
    description: >-
      Delete indices older than 30 days (based on index name), for logstash-
      prefixed indices. Ignore the error if the filter does not result in an
      actionable list of indices (ignore_empty_list) and exit cleanly.
    options:
      ignore_empty_list: True
      timeout_override:
      continue_if_exception: False
      disable_action: False
    filters:
    - filtertype: pattern
      kind: prefix
      value: .watch_history- 
      exclude:
    - filtertype: pattern
      kind: prefix
      value: .shield_audit_log- 
      exclude:
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: 7
      exclude:

Any help would be appreciated.

theuntergeek · November 8, 2016, 1:23pm

You will, of course, see nothing here, because you're telling it to only include indices that start with .watch_history and also only start with .shield_audit_log. There's nothing left to try to delete older than 7 days worth.

If you are trying to delete both in one shot, you'll need to use kind: regex instead of prefix, and set it accordingly.

It might look something like:

kind: regex
value: '^(\.watch_history-|\.shield_audit_log).*$'

or something like that.

bwgriffith · November 8, 2016, 1:41pm

Gotcha... that did the trick.

Thanks!

system · December 6, 2016, 1:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.