Force index rollover with a new index name

frank_rib · October 6, 2022, 1:58pm

Hello,
I was configured filebeat agent to send data directly to elasticsearch from multiples agent. afterwards I added the index to a have a problem with the rollover
I added the index to the retention policy test0.
The index settings

{
"ecs-agent-windows": {
"settings": {
"index": {
"lifecycle": {
"name": "test0",
"rollover_alias": "ecs-agent-windows1",
"indexing_complete": "true"
},
"routing": {
"allocation": {
"include": {
"_tier_preference": "data_warm,data_hot"
}
}
},
"number_of_shards": "1",
"provided_name": "ecs-agent-windows",
"creation_date": "1663002046263",
"priority": "50",
"number_of_replicas": "0",
"uuid": "OgE-V8WVRBqW56Hwwmo5Bg",
"version": {
"created": "8030299"
}
}
}
}
}
The policy settings
{
"test0": {
"version": 1,
"modified_date": "2022-10-05T17:17:50.872Z",
"policy": {
"phases": {
"warm": {
"min_age": "1s",
"actions": {
"set_priority": {
"priority": 50
}
}
},
"hot": {
"min_age": "0ms",
"actions": {
"set_priority": {
"priority": 100
},
"rollover": {
"max_primary_shard_size": "50gb",
"max_age": "10m",
"max_docs": 500
}
}
}
}
},
"in_use_by": {
"indices": [
"ecs-agent-windows",
"ecs-agent-filebeat-2022.10.05-000002",
"ecs-agent-filebeat-2022.10.05-000001",
"ecs-agent-filebeat"
],
"data_streams": ,
"composable_templates": [
"ecs-agent-windows",
"agent-filebeat",
"agent-winlogbeat"
]
}
}
}
The ILM explain:
{
"indices": {
"ecs-agent-windows": {
"index": "ecs-agent-windows",
"managed": true,
"policy": "test0",
"index_creation_date_millis": 1663002046263,
"time_since_index_creation": "23.8d",
"lifecycle_date_millis": 1663002046263,
"age": "23.8d",
"phase": "warm",
"phase_time_millis": 1665015792294,
"action": "complete",
"action_time_millis": 1665016742506,
"step": "complete",
"step_time_millis": 1665016742506,
"phase_execution": {
"policy": "test0",
"phase_definition": {
"min_age": "1s",
"actions": {
"set_priority": {
"priority": 50
}
}
},
"version": 1,
"modified_date_in_millis": 1664990270872
}
}
}
}
The logs are always added to ecs-agent-windows, even though the index is at the complete phase.
Is there any why to force the rollover to resolve this issue from elasticsearch, knowing that I don’t have access to filebeat agent.
Best regards,

frank_rib · October 9, 2022, 7:11pm

Hello,
Can I have an expert who can help me to solve the issue

Regards,

stephenb · October 9, 2022, 8:35pm

Hi @frank_rib

It is unclear what the past state, current state and desired state you want......

Let's start with some basics what version are you on? For all component?

Are you using elastic agent or filebeat?

Are you trying to use Indices or Data Streams? (Do you know the difference? Do you have a preference .. I see mixed references above)

Can you show your filebeat.yml? This is a good place to start.

It is unclear whether you are trying to use a data stream / index.

I see "ecs-agent-windows" named as a data stream in the policy but at the top you seem to have it named as an index... that is confusing an probably part of the issues.

So going back ... perhaps explain what you are trying to accomplish at a higher level than just asking how to rollover.

What do you want going forward.

If you are new to Elastic I highly encourage you to use most of the defaults until you get a good understand of all the components and their relationships.

If you just want to force a rollover (which I do not think will work)

See here (actually works for data streams too)

POST ecs-agent-windows1/_rollover

system · November 6, 2022, 8:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.