I have this simple scenario.
I have more or less 100 hosts (linux and windows) and i want to gather only logs and metrics. So i have install filebeat and metricbeat to all linux hosts and winlogbeat and metricbeat to all windows hosts.
From filebeat i am getting logs from syslog and from winlogbeat logs from Event Viewer. Also i want to save the logs to some output files with .log format that's why i have installed also logstash. So for the logs i am using also logstash (filebeat send to logstash and then to elasticsearch i suppose) and for the metrics only elasticsearch.
I have install ELK to 7 nodes. In 3 nodes i have elasticsearch, kibana and logstash(in these 3 nodes i am sending the logs from filebeat and winlogbeat using logstash output on their configuration files) and in the other 4 nodes i have only elasticsearch(so i am sending the metrcis from metricbeat to all 7 nodes using elasticsearch output on the metricbeat configuration file).
After setting up this configuration my needs is to keep only these data, logs and metrics only for one week on elasticsearch and on kibana. So i want to keep only the data of the indices for one week and then to be deleted. My indices have the format as filebeat-, winlogbeat- and metricbeat-* and after that they have the version on the beat and the date.
How i can setup a valid lifecycle policy to them and keep only the indices for one week? I tried with the lifecycle policy doc on the elastic site but i couldn't be able to setting up this correctly.
I would be grateful if someone could help me on this.
This configuration was made to delete indexes older than 10 days, you just have to change it to 7 days and others parameters like index name, index pattern name...
And this configuration will be apllied to the new indexes, the olders ones must be deleted manually.
Yes, as I said in my first reply " this configuration will be apllied to the new indexes" the problem is that the old indexes were not created with the template and the old ones dont have alias, for that reason you are getting this error and you have to delete it manually but the new ones will be created with alias and will be deleted automatically when will be older than 7 days.
With that you can update your old indexes and add it the alias of your lifecycle policy, Im not sure if this will work but you can try only with one index.
I just test it and yes your old indexes will be added to your lifecycle policy but I dont know if your index older than 7 days will be deleted automatically or if you have to do it manually but you will not see that errors at least
For Filebeat and Winlogbeat that are sending to logstash was worked perfectly. Every new index has the policy that i have configured.
The problem now is on the new indexes on the metricbeat. Every new index on metricbeat is assigned to a different lifecycle policy of this one that i have created. For example i have created the metricbeat_policy and the new metricbeat indices were assigned to a metricbeat-7.2.0 policy like that. The difference from Metricbeat and Filebeat and Winlogbeat is that has as output the elasticsearch.
That was my settings
PUT _ilm/policy/metricbeat_policy
{
"policy": {
"phases": {
"delete": {
"min_age": "7d",
"actions": {
"delete": {}
}
}
}
}
}
PUT _template/metricbeat_template
{
"index_patterns": ["metricbeat-"],
"settings": {
"number_of_shards": 1,
"number_of_replicas": 1,
"index.lifecycle.name": "metricbeat_policy",
"index.lifecycle.rollover_alias": "metricbeat"
}
}
PUT metricbeat-/_settings
{
"settings": {
"index.lifecycle.name": "metricbeat_policy",
"index.lifecycle.rollover_alias": "metricbeat"
}
}
I hade created the same for filebeat and winlogbeat.
Have you missed in this template the * symbol in the index_patterns? because that could be the reason why your new indexes are not going to metricbeat_policy
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.