How to configure datastream and ILM to keep logs for specific time

lancer_enkor · May 5, 2021, 9:17am

I want to configure datastream for gathering my application logs. And I want to keep the data from the app for a specific time, let say for one week. I will not use hot-warm-cold architecture, I just want to have logs for one week and then delete it. And I'm struggling with configuring ILM for that.

If I understand it correctly I can setup rollover based on index creation date. So I can set rollover for one day and then setup delete phase with 6 days. But what will happen with index which is already rolled over ? It will still remain searchable within datastream ?

weltenwort · May 5, 2021, 9:34am

Hi @lancer_enkor,

that's a good question. In short: yes. A datastream is a concept in Elasticsearch, that is backed by any number of read indices and one write index. A rollover essentially creates a new empty write index and turns the previous write index into a read index. Querying the datastream will query all backing read and write indices. The datastream docs have some nice visuals to explain it better than I could with words.

Does that answer your question?

lancer_enkor · May 5, 2021, 11:58am

Yes, thank you for clarification.

Topic		Replies	Views
Can Rollover API / ILM be used to keep only x days data in an index at any point of time Elasticsearch ilm-index-lifecycle-management	15	691	September 20, 2023
ILM doesn't rollover Elasticsearch ilm-index-lifecycle-management	2	378	April 9, 2023
Inconsistent datastream index rollover Elasticsearch ilm-index-lifecycle-management , datastreams	1	400	February 27, 2023
Question about Elasticsearch ILM Index Lifecycle Policies Elasticsearch ilm-index-lifecycle-management	2	52	January 24, 2025
Elasticsearch ILM Policies Elasticsearch ilm-index-lifecycle-management	1	275	October 21, 2023

How to configure datastream and ILM to keep logs for specific time

Related topics