Non timeseries beat indexes

Is it possible to setup beats (auditbeat / metricbeat / winlogbeat) to not use timeseries indexes?

I've orderridden the index name in the respective config files but the template (via [beat].exe setup - manual loading) creates and applies the template to a new timeseries index, using the name I specified as the base.

I've tried setting the index name as part of the setup command but as said, this just uses that name as a base and appends the beat version and date.

The reason we want non timeseries indexes is because we don't want hundreds of very small shards, we would rather rollover once the index gets to an appropriate size. This is especially true for auditbeat, which we are only using for file change alerts; daily indexes would have little to no documents.

The only way I can think of getting around this is to export the template, change the values causing the daily indexes and then call the template api myself.

Is there any other way?

Have you tried using the ILM manager of ES with Filebeat: https://www.elastic.co/guide/en/beats/filebeat/current/ilm.html

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.