All the indices I deal with contain logs from servers so I'd like to have Curator delete indices once the documents inside them refer to events that happened more than N days ago. Looking at the Curator documentation https://www.elastic.co/guide/en/elasticsearch/client/curator/current/fe_source.html#_field_stats_based_ages_2 it seems this is possible using source: field_stats however it's not clear to me what the example in documentation does and hence whether I want to use min_value or max_value
If I wanted an index to be deleted once all the documents in it refer to events more than 365 days ago, would this:
- filtertype: age
source: field_stats
direction: older
unit: days
unit_count: 365
field: '@timestamp'
stats_result: max_value
be how to define that?
I'm using Curator 5.8. The cluster is currently running Elasticsearch 6.8 but will be upgraded to 7 in due course.