Need to implement a Lifecycle, but I have daily named indicies

mhare · November 14, 2019, 5:47pm

I hope I'm just not seeing something. I have version 7.4 of the Elastic Stack
Logstash creates indices as:
output {
elasticsearch {
action => "index"
hosts => [ "localhost:9200" ]
index => "memleak-%{+YYYY.MM.dd}"
workers => 1
}
for 9 different inputs (the 'memleak' part of the index name changes for each input, but otherwise the same)

So, I get a new index every day. Now I am finding I need to implement a lifecycle policy so I can age out old data.
I created a simple policy to delete data after 45 days of creation.
But I have to apply this policy to each index. And since a new indices are created everyday, I have to apply the policy to the new indices everyday?

rugenl · November 14, 2019, 5:55pm

I think you can apply your ILM policy via a template. More than one template can be applied at index creation (in ascending priority order).

For example, if you had an ILM policy "delete-at-45" that just had a delete phase, you could create a template with just that ILM setting but index patterns matching "memleak-*" and it's relation. Any other templates would still contribute their mappings and settings.

ILM is designed for more than this (rollover), but I think you can do this subset of ILM function.

Topic		Replies	Views
Setting up Index Life Management Elasticsearch ilm-index-lifecycle-management	6	898	April 18, 2022
Automatically Applying Existing ILM Policy to Newly Created Indicies Elasticsearch ilm-index-lifecycle-management	2	281	November 24, 2021
Can ILM policy be created on an existing set of indexes? Elasticsearch ilm-index-lifecycle-management	2	318	September 12, 2023
How to attach Index Lifecycle Policy to indices created by Logstash? Logstash ilm-index-lifecycle-management	6	3960	May 19, 2022
Rollover Indeces using Logstash and Elastic Logstash ilm-index-lifecycle-management	14	1335	September 20, 2020

Need to implement a Lifecycle, but I have daily named indicies

Related topics