Situation; I'm currently shipping windows logs to elasticsearch via winlogbeat and grabbing specific events from the past 3 months. All I really want is the last 3 months of logs and nothing else. Each day has its own index, with 5 shards per index and 450 shards for 90 days. So what is the best way in going about automated shard deletion?
Question;
- Can I setup shards so they have 90 day TTL?
- Shards have dates in their name, can I
if date < 90 days = delete? - Where do I set this up?
Any information provided will be much appreciated.
Thanks!