ILM elasticsearch not working

Such a question, I read the manual and I seem to have done everything right, but I still get an error for indices, I use the wazuh template and add the following to it:

{
  "order": 0,
  "index_patterns": [
    "wazuh-alerts-4.x-*",
    "wazuh-archives-4.x-*"
  ],
  "settings": {
    "index.refresh_interval": "5s",
    "index.number_of_shards": "3",
    "index.number_of_replicas": "0",
    "index.auto_expand_replicas": "0-1",
    "index.lifecycle.name": "wazuh_ilm",
    "index.lifecycle.rollover_alias": "wazuh-alerts-4.x",
    "index.mapping.total_fields.limit": 10000,

then restart filebeat
My wazuh_ilm:

PUT _ilm/policy/wazuh_ilm
{
  "policy": {
    "phases": {
      "hot": {
        "min_age": "0ms",
        "actions": {
          "set_priority": {
            "priority": 100
          },
          "rollover": {
            "max_age": "1d"
          }
        }
      },
      "warm": {
        "min_age": "5d",
        "actions": {
          "set_priority": {
            "priority": 50
          }
        }
      },
      "delete": {
        "min_age": "7d",
        "actions": {
          "delete": {
            "delete_searchable_snapshot": true
          }
        }
      }
    }
  }
}

And after a while I get an error:

illegal_argument_exception: setting [index.lifecycle.rollover_alias] for index [wazuh-alerts-4.x-2022.11.02] is empty or not defined

And when I add a template to ilm in the field "linked index templates" I see 0

This seems a duplicate of your other post.

Please, avoid creating duplicate posts.

I marked the post to be deleted.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.