ILM Setup support for ELK 8.3

shailendra1 · October 16, 2023, 4:09am

Dear All,

i am looking some suggestions for setting up the ILM for my data/streaming/beats . i have below senerios to accomplished and keep running my platforms.

Everyday the indices are generating with abc.yyy.mm.dd format, without any data size limits of indices within the logstash mapping and patterns, the problem here how can i setup my ILM to avoid the flood of data sizes (regular pattern is around 1gb data but suddenly if data comes to 50gb)
can we setup ILM policy or rollover configuration in the Logstash pipelines with a indices size limits?
is there any better approach to keep my platform up and running with limited to the disk spaces/cluster storages.
i am using the ELK 8.3 with FB agents in multiple hosts.

Thank you in advance for your early responses and suggestions.

sholzhauer · October 17, 2023, 12:53pm

it sounds like you are looking for the ilm rollover action based on index size:

This would rollover (create a new index) when the current reaches the configured size (checks every 10 min).

e.g:

{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover" : {
            "max_size": "5gb"
          }
        }
      },
      "delete": {
        "min_age": "2h"
      }
    }
  }
}

This policy would create indices of roughly 5gb and after rollover keep your data for an additional 2h.

system · November 14, 2023, 12:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.