I realize this question goes a bit counter to the usage of a frozen tier, but I'll outline our use-case.
We have an ILM policy of 10 days hot, 80 days frozen. Some of our customers have the need to remove data we store (think data removal requests). For the default case, our lifecycle policy works fine, data older than 90 days total is just deleted. However, if a customer wants us to remove specific data, such as documents where some_field = $some_id, It's unclear to me if its possible to delete a subset of data within my frozen tier.
One Idea I'm considering / trying is the following:
- One at a time, mount snapshots containing the data stream I need to delete data from. It seems I cannot determine which specific snapshots may contain documents I care about.
- Create a temporary index that is writeable
- Re-index, the read-only index to the writable index, using a query to exclude the documents I wish to remove.
- Snapshot the new index
- Unmount the old snapshot, and delete the snapshot.
This seems quite intensive and I'm hoping there is a better solution. Worst case we would do this as a daily operation in a bulk fashion.