Deleting all beats indices with Curator

Hope this is the right place to post this:

I've installed Curator 4.0.1, and am using it to delete indices older than 14 days. It works fine if I'm only trying to delete a single index like logstash or filebeat. However,I'm trying to customize the example delete_indices.yml to delete my filebeat, packetbeat, and topbeat indices in one pass. But, I can't fine the right directive to accomplish that. Here's what the file looks like:

actions:
1:
action: delete_indices
description: >-
Delete indices older than 14 days (based on index name), for beat-
prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly.
options:
ignore_empty_list: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind:
value:
exclude:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 14
exclude: False

It's the filters "kind" and "value" that I can't seem to get right. Help would, as always, be appreciated.

You might try kind: regex and have a value: '^.*beat-.*$' to filter for indices with beat- in them.

Be sure to use the --dry-run flag to test before acting on it, to make sure it doesn't do something you don't want.

Also, Curator 4.0.6 is out now, with many bug fixes since 4.0.1.

Thanks, Aaron, that worked a treat! I very much appreciate the support I get in all of the Elastic forums - my issues get resolved, and I learn a great deal, too.

This topic was automatically closed after 21 days. New replies are no longer allowed.