After running into the 1000/1000 shards issue, I need to reduce the number of shards in use preferably without needing to remove to many old indices. Currently the configuration is set to daily indices, so we decided to move to weekly indices to allow for the longer retention period.
This is a single-node Windows server running ELK 7.4.2. We use daily indices, with no ILM configured. The configuration was created before ILM was available, and hasn't been adjust to use ILM after migration. Currently there are around 900 indices in use.
What would be the next step?
- Change to weekly indices by configuring Logstash to create {+xxxx.ww} indices? This is relatively simple to do.
- Or should I create a ILM policy with a maximum hot phase of 7 days (or maximum size)? What would happen if I apply a ILM policy, with a Warm phase configured, on older indices?
And as for reindexing...
Unfortunately reindexing daily to weekly indices is a slow process (and for a large part manual) process. Merging 7 dailies to a single weekly index easily takes 4 to 5 hours. With the number of indices we currently have, reindexing will take a month when running continuously.
Is there a way to speed this up? Is there a way to automate this process?
Thx,
Michel