On Elastic Cloud there is a default snapshot policy that takes a snapshot fo the entire cluster, per default this policy runs every 30 minutes and cannot be disabeld, just tricked into not running (by setting a distant future date for example).
In the Snapshot UI in Kibana there is also a validation that does not allow you to delete the last successful snapshot on the managed repository.
I'm assuming that this validation exists so the user would have a snapshot to restore the entire cluster if needed.
But as soon as you start using searchable snapshots, the last successful snapshot will not always be a snapshot of the entire cluster, it can be a snapshot with just one specific indice and in this way a user could mistakenly remove the last successful snapshot of the entire cluter and be unable to restore it.
So, shouldn't the validation be applied only for the snapshots with the name pattern from the default policy? Or validate if at least one snapshot starting with cloud-snapshot-*
is kept?
Also, since the default policy SLM policy and the searchable snapshots created by the ILM policies will use the same repository, how this impact in the data that is send to the bucket?
For example, If I have an ILM policy that moves data from hot into searchable snapshots after 7 days, and the default snapshot policy is running every 24 hours, this means that the data for this index will be sent to the bucker by the default snapshot policy before the ILM triggers the searchable snapshot, when the index move from Hot to Frozen, will the data be sent again or just the reference for the segments that are already present on the bucket?