I want to configure datastream for gathering my application logs. And I want to keep the data from the app for a specific time, let say for one week. I will not use hot-warm-cold architecture, I just want to have logs for one week and then delete it. And I'm struggling with configuring ILM for that.
If I understand it correctly I can setup rollover based on index creation date. So I can set rollover for one day and then setup delete phase with 6 days. But what will happen with index which is already rolled over ? It will still remain searchable within datastream ?
that's a good question. In short: yes. A datastream is a concept in Elasticsearch, that is backed by any number of read indices and one write index. A rollover essentially creates a new empty write index and turns the previous write index into a read index. Querying the datastream will query all backing read and write indices. The datastream docs have some nice visuals to explain it better than I could with words.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.