I'm currently evalutating ELK for logfile storage and analysis.
Since we may acquire up to 50GB per day we need to use different storage pathes
according to the age of indices.
So the idea I'd like to ask for feedback is this:
I have two nodes which will run three instances of elasticsearch , each.
On every node there will be a fast, a medium and a slow storage tier mounted in filesystem
and the elasticsearch instance will be started with the according storagepath,
where fast is flash based for recent indices, medium is SAS-HDD and slow is SATA-HDD for archive.
## Node 1, 3 Instanzen
bin/elasticsearch --node.vm vm1 --node.perf fast -Des.path.data=/mnt/fast
bin/elasticsearch --node.vm vm1 --node.perf medium -Des.path.data=/mnt/medium
bin/elasticsearch --node.vm vm1 --node.perf slow -Des.path.data=/mnt/slow
## Node 2, 3 Instanzen
bin/elasticsearch --node.vm vm2 --node.perf fast -Des.path.data=/mnt/fast
bin/elasticsearch --node.vm vm2 --node.perf medium -Des.path.data=/mnt/medium
bin/elasticsearch --node.vm vm2 --node.perf slow -Des.path.data=/mnt/slow
### VM-awareness
cluster.routing.allocation.awareness.attributes: vm
Using either an external script or curator I'd want to tune the settings for an index
older than n days:
### Fast Indices
PUT test/_settings
{
"index.routing.allocation.exclude.perf": "slow, medium"
}
### medium Indices
PUT test/_settings
{
"index.routing.allocation.exclude.perf": "slow, fast"
}
### slow Indices
PUT test/_settings
{
"index.routing.allocation.exclude.perf": "fast, medium"
}
If I get it right, ES would migrate the indices to the according instance which uses
the configured storage tier.
Is this a totally wrong idea or could you give any recommendations on this?
I think I will follow the blog more closely from now on 
