Ilm policy on system index

pathri · May 31, 2019, 5:27am

I am trying to put a policy on the system generated indices specifically to

".monitoring-es-...."
&
".monitoring-kibana-...."

i have created a policy which is simply deleting these indices which are having age as 1 day

policy is as below

{
"delete-system-indices" : {
"version" : 1,
"modified_date" : "2019-05-31T04:19:06.506Z",
"policy" : {
"phases" : {
"hot" : {
"min_age" : "0ms",
"actions" : {
"set_priority" : {
"priority" : 100
}
}
},
"delete" : {
"min_age" : "1d",
"actions" : {
"delete" : { }
}
}
}
}
}
}

now i am trying to put the above created policy on the mentioned indices but not able to find out the appropriate command.

Please help

Thanks in advance

jakelandis · May 31, 2019, 4:25pm

Monitoring (which pre-dates ILM) has a means to clean up old indexes. https://www.elastic.co/guide/en/elasticsearch/reference/7.1/monitoring-settings.html

The gotcha here is that is only applicable for clusters which are monitoring themselves. So if the cluster that has these indexes is monitoring itself (e.g. local exporter) using the built in cleaner should be preferred:

GET _cluster/settings?include_defaults=true&filter_path=*.xpack.monitoring.history.duration

PUT _cluster/settings
{
  "persistent": {
    "xpack.monitoring.history.duration" : "1d"
  }
}

To answer your question...

To apply a policy to system indices, you will need to create an index template that matches the patterns and apply the policy there.

PUT _template/ilm_delete_after_1_day
{
  "order": 10,
  "index_patterns": [".monitoring-es-*", ".monitoring-kibana-*"],
  "settings": {
    "index.lifecycle.name": "delete-system-indices"
  }
}

Now when a new index is created it will have the ILM policy attached. (this will not apply to existing indexes). You can quickly test this out with the following:

PUT .monitoring-es-testme
GET .monitoring-es-testme
DELETE .monitoring-es-testme

Note - there are some ILM actions that should be avoided with system indices, such as rollover and shrink. Actions that should be avoided are generally ones that may have pre-requisite (such as specific naming) or will result in changes that could break the system which is reading these indices. However, your usecase of deleting time series monitoring data for monitoring is valid (assuming the monitoring suggestion above doesn't apply) .

pathri · June 10, 2019, 5:02am

alright
thanks for your reply

system · July 8, 2019, 5:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.