We have an infrastructure that consists of several Filebeats that send the traces to a Logstash located on another machine where there is also a Metricbeat to plot Logstash.
We have detected that a series of indices have been generated automatically and for which we have not been able to find information, can you please tell us what information is stored in these indexes and if is it possible to remove them without causing errors?
I think that the main issue is that there is not much information about those system indices, what they are used for and if they can be removed without any risk of breaking something.
I made a similar question a couple of months ago about the slm-history and ilm-history, but got no answer.
One of most repeated recomendations from Elastic is to avoid to have lot of small indices and yet Elasticsearch itself keeps creating those small indices without any explanation if it is safe to remove or not.
It would be nice to have some information in the documentation of what is safe to remove or not depending on which features you use.
Can you clarify what version of the stack you are running, it should help understand these a bit better.
I leave the versions of the infrastructure used to clarify the scenario:
Filebeat: 7.17.0
Logstash: 7.17.3
Metricbeat: 7.17.0
Elasticsearch deployment: 7.17.1
I think that the main issue is that there is not much information about those system indices, what they are used for and if they can be removed without any risk of breaking something.
The problem with these indices is that by not being able to determine their use and, if possible, their elimination, they grow uncontrollably and a corresponding lifetime cannot be established.
This causes the use of resources and shards to multiply and lead to performance errors.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
