@bianca6
thank you very much.
put _cat/aliases shows
.transform-notifications-read .transform-notifications-000002 - - - -
.kibana-event-log-8.3.2 .kibana-event-log-8.3.2-000001 - - - true
.preview.alerts-security.alerts-default .internal.preview.alerts-security.alerts-default-000059 - - - false
.kibana_task_manager_8.2.2 .kibana_task_manager_8.2.2_001 - - - -
.lists-default .lists-default-000001 - - - true
.preview.alerts-security.alerts-default .internal.preview.alerts-security.alerts-default-000060 - - - true
.kibana_task_manager .kibana_task_manager_8.3.2_001 - - - -
.kibana_task_manager_8.3.2 .kibana_task_manager_8.3.2_001 - - - -
.items-default .items-default-000001 - - - true
.kibana_8.2.2 .kibana_8.2.2_001 - - - -
.security .security-7 - - - -
cisco-switch cisco-switch-000001 - - - -
.kibana .kibana_8.3.2_001 - - - -
.kibana_8.3.2 .kibana_8.3.2_001 - - - -
.kibana-event-log-8.2.2 .kibana-event-log-8.2.2-000002 - - - false
.kibana-event-log-8.2.2 .kibana-event-log-8.2.2-000001 - - - false
cisco-asa cisco-asa-000001 - - - -
.kibana-event-log-8.2.2 .kibana-event-log-8.2.2-000003 - - - true
but cisco_switch-2022.07.26, cisco-switch-2022.07.27 and cisco-switch2022.07.28 are not listed there, same for cisco-asa-2022.07.xx
somehow the template seems to not add the aliases to the new created indices and i keep getting the error.
@warkolm im using the default ILM Policy 90-days-default that came with ELK-Stack without any changes to it, but here it is:
PUT _ilm/policy/90-days-default
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_age": "30d",
"max_primary_shard_size": "50gb"
}
}
},
"warm": {
"min_age": "2d",
"actions": {
"shrink": {
"number_of_shards": 1
},
"forcemerge": {
"max_num_segments": 1
}
}
},
"cold": {
"min_age": "30d",
"actions": {}
},
"delete": {
"min_age": "90d",
"actions": {
"delete": {
"delete_searchable_snapshot": true
}
}
}
},
"_meta": {
"managed": true,
"description": "built-in ILM policy using the hot, warm, and cold phases with a retention of 90 days"
}
}
}