HI,
here is my policy and template and attached conf file, 4100+ documents ingested successfully but it is not rolled over on 1000 doc check please help me out why it is not rolling over
Here is my conf content
input {
file {
codec => "json"
path => "/home/shoaib/searlite_latest_data.json"
start_position => "beginning"
sincedb_path => "/dev/null"
max_open_files => 10000
#ignore_older => 0
}
}
filter {
json {
source => "url"
}
grok {
match => ["url", "^(?:https?://)?(?:www.)?(?[^/:]+)\S*"]
}
skip droped malicious to inser
#if "dropped_malicious" in [path] {
drop{}
}
change url type on the basis of directory
if "repute" in [path] and [t] == "b" {
mutate { replace => { "t" => "rb" } }
}
if "repute" in [path] and [t] == "d" {
mutate { replace => { "t" => "rd" } }
}
if "scan" in [path] and [t] == "b" {
mutate { replace => { "t" => "sb" } }
}
if "scan" in [path] and [t] == "d" {
mutate { replace => { "t" => "sd" } }
}
}
output {
elasticsearch {
hosts => "http://localhost:9200"
index => "timeseries"
document_id => "%{hostname}%{created_at}"
}
stdout { }
}
######################## API ####################################
PUT /_ilm/policy/timeseries_policy?pretty
{
"policy": {
"phases": {
"hot": {
"actions": {
"rollover": {
"max_docs": 1000
}
}
}
}
}
}
PUT /_index_template/timeseries_template?pretty
{
"index_patterns": ["timeseries-*"],
"template": {
"settings": {
"number_of_shards": 1,
"number_of_replicas": 0,
"index.lifecycle.name": "timeseries_policy",
"index.lifecycle.rollover_alias": "timeseries"
}
}
}
PUT /timeseries-000001?pretty
{
"aliases": {
"timeseries": {
"is_write_index": true
}
}
}
GET /timeseries-*/_ilm/explain?format
POST /timeseries/_doc?pretty
{
"@timestamp": "1591890611",
"url": "http://2266608xyzshjd/register?key=1000350241",
"customer_name": "fareed",
"created_at": "2020-11-11 10:57:40.843094",
"hostname": "vm1-searcliteapi-v2",
"t": "m",
"s": "r",
"domain": "2266608xyzshjd"
}
############################# end #################################