Should be .... the following... if you want ILM to work.
Your logstash config is wrong it is meant for daily indices not ILM.
This should work going forward... your other indices will never roll over because they are "Daily Indices" and are not using the Write Alias which is
filebeat-7.17.13
hence
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
Correct
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
pipeline => "%{[@metadata][pipeline]}"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
}
}
}
You will need to manually delete the old indices as they will never rollover and thus never move to the next step and never be deleted
To be direct the Guide you are following was intended to use Daily Indices not ILM... until now .. we did not know that... and that is the source of most of these issues.
You still need to run
./filebeat setup -e
At least once while filebeat is pointing to Elasticsearch BEFORE you start sending data through logstash.
See it should look like this you are missing all the write alias ....
GET /filebeat-7.17.3-2024.01.09-000001
{
"filebeat-7.17.3-2024.01.09-000001" : {
"aliases" : { <!--- THIS
"filebeat-7.17.3" : { <!--- THIS
"is_write_index" : true <!--- THIS
}
},