I have this simple scenario.
I have more or less 100 hosts (linux and windows) and i want to gather only logs and metrics. So i have install filebeat and metricbeat to all linux hosts and winlogbeat and metricbeat to all windows hosts.
From filebeat i am getting logs from syslog and from winlogbeat logs from Event Viewer. Also i want to save the logs to some output files with .log format that's why i have installed also logstash. So for the logs i am using also logstash (filebeat send to logstash and then to elasticsearch i suppose) and for the metrics only elasticsearch.
I have install ELK to 7 nodes. In 3 nodes i have elasticsearch, kibana and logstash(in these 3 nodes i am sending the logs from filebeat and winlogbeat using logstash output on their configuration files) and in the other 4 nodes i have only elasticsearch(so i am sending the metrcis from metricbeat to all 7 nodes using elasticsearch output on the metricbeat configuration file).
After setting up this configuration my needs is to keep only these data, logs and metrics only for one week on elasticsearch and on kibana. So i want to keep only the data of the indices for one week and then to be deleted. My indices have the format as filebeat-, winlogbeat- and metricbeat-* and after that they have the version on the beat and the date.
How i can setup a valid lifecycle policy to them and keep only the indices for one week? I tried with the lifecycle policy doc on the elastic site but i couldn't be able to setting up this correctly.
I would be grateful if someone could help me on this.