Elasticsearch curator delete disk space

ohollx · June 26, 2019, 1:38am

Hi.

I'm trying to delete an index automatically using an elastic curator.
I think the index is deleted when setting as below, but I do not understand exactly how it works.

actions:
One:
action: delete_indices
options:
ignore_empty_list: True
timeout_override: 300
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: wazuh-
- filtertype: space
disk_space: 0.3
use_age: True
source: creation_date

When the individual index reaches the capacity set in disk_space, the old index is deleted from the oldest index. If the index list is deleted, it also includes logs that do not meet the capacity set in disk_space.
And I do not know how much of the entire index is deleted.

What I would like to do is to delete 10% of the total log from the old log when the index total capacity reaches the capacity set in disk_space.

I would appreciate your help.
thank you.

theuntergeek · June 26, 2019, 1:56am

What these filters do:

Select only indices beginning with wazuh-
Sum the space of all indices selected by any and all previous filters, in this case, the filter in step 1. Delete all indices in excess of the specified amount of disk_space in gigabytes, starting with the oldest (determined by use_age: true).

What you're doing is deleting all wazuh- indices using in excess of 300 Mbytes. You can see the math used by running Curator with --dry-run and setting loglevel: DEBUG in the client settings yaml file.

ohollx · June 26, 2019, 2:24am

At run time, the following result is displayed. If you check the store.size of the delete file, there is no index of 300mb.

curator --configcurator-config.yml delete_indices_space.yml --dry-run

2019-06-26 11:12:58,982 INFO 2019-06-26 11:12:58,991 INFO 2019-06-26 11:12:59,081 INFO 2019-06-26 11:12:59,081 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,082 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,083 INFO 2019-06-26 11:12:59,084 INFO 2019-06-26 11:12:59,084 INFO Preparing Action ID: 1, "delete_indices"
Trying Action ID: 1, "delete_indices": No description given
DRY-RUN MODE. No changes will be made.
(CLOSED) indices may be shown that may not be acted on by action "delete_indices".
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.03 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.04 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.05 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.06 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.07 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.08 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.09 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.10 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.11 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.12 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.13 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.14 with arguments: {}
DRY-RUN: delete_indices: wazuh-alerts-3.x-2019.05.15 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.03 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.05 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.06 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.07 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.08 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.09 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.10 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.11 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.12 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.13 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.14 with arguments: {}
DRY-RUN: delete_indices: wazuh-monitoring-3.x-2019.05.15 with arguments: {}
Action ID: 1, "delete_indices" completed.
Job completed.

If you run disk_space with 200mb, more indexes will be deleted than 300mb. I do not understand this part.

The store.size in each individual index file is up to 18mb, which is less than 200 or 300mb. I wonder if the index is selected in some criteria.
index Is not the capacity reference store.size?

I would appreciate your help.
thank you.

theuntergeek · June 26, 2019, 3:11am

You're showing which indices were set to be deleted, but not the log lines which show how the space math is calculated.

As stated, Curator selects indices when the total sum of all indices is in excess of disk_space gigabytes, beginning with the newest (most recent) indices, as it will delete older indices in excess of the amount specified by disk_space. Curator does not look for a single index of that size. It's a sum.

ohollx · June 26, 2019, 6:35am

Thanks to the friendly explanation, I understood.

But there is one thing that I do not understand.
If disk_size is set to 300mb, it will be deleted from the oldest index except 300mb index.

However, curator's index size calculation is strange.
This is indices store size as confirmed by GET _stats below.
"store": {
"size_in_bytes": 4447439230
},

I'm wondering if the size of the indices is above,
If disk_size of curator is set to 3G, deletion list should be generated, but there is no deletion list.

I do not know if the calculation method is wrong or there is something wrong with me.

I would appreciate your help.

thank you.

action: delete_indices
options:
  ignore_empty_list: True
  timeout_override: 300
  continue_if_exception: False
  disable_action: False
filters:
- filtertype: pattern
  kind: prefix
  value: wazuh-
- filtertype: space
  disk_space: 3
  use_age: True
  source: creation_date

theuntergeek · June 26, 2019, 12:27pm

Please paste the section of the DEBUG output which shows how the sizes are summed up and we can go over it together. It should be pretty clear how it sums the space consumed by the indices, starting from the most recent, so that all older indices above your 3G threshold are selected for the associated action (in this case, delete_indices).

ohollx · June 27, 2019, 12:48am

I confirmed my mistake while confirming what you told me.
The size search method is invalid.
Thanks to me, I solved a problem that was difficult for me.
It has helped a lot.
thank you.

system · July 25, 2019, 12:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Delete Index automaticly with curator Elasticsearch	2	1078	August 8, 2017
Delete after Total Disk Space Reaches Threshold Elasticsearch	5	4484	July 5, 2017
Curator's delete by disk space doesn't remove logs Elasticsearch	4	825	April 24, 2017
Curator: Delete oldest indices based on ES cluster size Elasticsearch	10	6347	December 22, 2016
Curator Delete indicies based on disk size and index age Elasticsearch curator	2	1214	August 2, 2019

Elasticsearch curator delete disk space

curator --configcurator-config.yml delete_indices_space.yml --dry-run

Related topics