Logstash with ILM configuration

Erates · January 17, 2023, 8:56pm

Hi, we have an ELK stack running (I have no say in which version, which is currently 7.x) to get the logs of our applications running in a Kubernetes cluster all combined in 1 place. The applications are pushing their logs to Logstash.

Logstash's output configuration looks like this:

    output {
        elasticsearch {
            index => "my-test"
            hosts => [ "${ES_HOSTS}" ]
            user => "${ES_USER}"
            password => "${ES_PASSWORD}"
        }
    }

Logs pushed to logstash do appear in Elasticsearch and are visible in Kibana. We have a Index template configured like this:

{
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "kubernetes_cluster_30-days"
        }
      }
    },
    "aliases": {},
    "mappings": {}
  }
}

The ILM policy kubernetes_cluster_30-days Is configured (not on 30 days like in the name, but that's for testing) like so:

But I have a feeling the rollover is not happening. We've tried already to use an index with a timestamp in the name, but that doens't rollover either.

I'm sure we're doing something wrong, but we cannot find what. Can you please help us!

Kind regards!

elasticforme · January 17, 2023, 9:39pm

is "my-test " alias to index? if not then this will not work

first you have to setup ILM
create templete where you have to assign alias
then create blank index with timestamp

then only ILM policy will roll over index

For example

PUT _ilm/policy/my-test
{
  "policy": {
    "phases": {
      "hot": {
        "min_age": "0ms",
        "actions": {
          "rollover": {
            "max_primary_shard_size": "25gb",
            "max_age": "365d"
          }
        }
      }
    }
  }
} 
GET /_cat/aliases
 
PUT _index_template/my-test
{
  "index_patterns": ["my-test-*"],
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "kubernetes_cluster_30-days",
          "rollover_alias": "my-test"
        },
        "number_of_shards": "4",
        "number_of_replicas": "1"
      }
    },
    "aliases": {},
    "mappings": {}
  }
}

#PUT <my-index-{now/d}-000001>
PUT %3Cmy-test-%7Bnow%2Fd%7D-000001%3E
{
  "aliases": {
    "my-test": {
      "is_write_index": true
    }
  }
}

What this will do is create a ILM, templet and blank index my-index--00001 and
now you write to alias "my-index" which will write to latest index.

system · February 14, 2023, 9:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with simple ILM rollover configuration for existing index Elasticsearch ilm-index-lifecycle-management	2	202	August 17, 2023
Setup rollover in index template Elasticsearch ilm-index-lifecycle-management	3	170	May 19, 2024
Index Lifecycle Management rolleover not happening properly Kibana elastic-stack-monitoring	18	938	November 13, 2020
ILM Logstash and Elastic (again) Logstash ilm-index-lifecycle-management	2	295	November 25, 2020
Trying to create a working ILM Elasticsearch elastic-stack-security , ilm-index-lifecycle-management	1	139	April 25, 2024

Logstash with ILM configuration

Related Topics