Hi, I've been reading many of the similar topics here regarding creating daily indexes with the name appearing with the current date (YYYY:MM:dd) appended to the alias name. I am having difficulty getting my elasticsearch to do this "automatically" at the turn of each day. If an index is rolled manually however, a new index is created with the current date in the format described in the ouput section of the elasticsearch.yml file.
Current behaviour is that after initial creation, the index persists across days until I manually roll the index using the api. Any hints about what might be going on?
ELK version: 7.4.2
Setup: filebeat on aggregated log server (ingesting rsyslog logs from 80 clients) => logstash (on same server as filebeat) => elasticsearch (3 separate nodes)
I would guess you are using ILM, and do not like the default behaviour.
The default policy is configured to rollover an index when it reaches either 50 gigabytes in size, or is 30 days old, whichever happens first.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.