Index Frequency & Rollover

Tim_Mobley · February 8, 2022, 1:17pm

If you have an ILM policy set to the default rollover settings (30 days or 50 GB), how should you configure your indexing in the LogStash output to align with that? Here's what I mean... if you have the following output block:

output {
  elasticsearch {
    hosts => [ "https://hotdata1:9200", "https://hotdata2:9200" ]
    index => "data-source-%{YYYY.MM.dd}"
  }
}

That creates a new index each day. But if the index isn't yet 50 GB we don't want that. Should I make the index setting this:

index => "data-source-%{YYYY.MM}"

...or just leave off the date altogether?

system · March 8, 2022, 1:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.