I am using logstash to push the data in YYYY.MM.dd.hh format which consider AM and PM in one index means two different hour data is available in same index. I want a index of two hours but those hours need to be continous, It can be done via rollover_api but it seems there is so many overhead due to shards shifting. Is there any procedure that it can be done in any other way like directly from logstash.
Are you using a Hot / Warm node architecture or are all your nodes the same / uniform.
If you are not using Hot / Warm you can simply create an ILM policy with the time frame you like there should be no shard shuffling.
And ILM just stops writing to the old index and just starts writing to the new index... No shards move.
If you are using Hot / warm was the shards will migrate from hot nodes to warm nodes.
If shards are moving without hot warm there may be something else going on.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.