Problem with elasticsearch ILM

I have an index log-wlb-sysmon-2021.01.26 having 3 shards and zero replica its size is 30 mb.
Here is my sysmon index template

 "refresh_interval": "5s",
    "number_of_shards": "3",
    "number_of_replicas": "0"

Now i want to use ilm policy for an existing index
so i created a ilm policy called sysmon_policy

PUT _ilm/policy/sysmon_policy
{
  "policy": {
    "phases": {
      "hot": {
        "min_age": "0ms",
        "actions": {
          "rollover": {
            "max_size": "100mb",
            "max_age": "1d"
          },
          "set_priority": {
            "priority": 100
          }
        }
      }
    }
  }
}

then i add ilm policy to existing sysmon index_template

 "lifecycle": {
      "name": "sysmon_policy",
      "rollover_alias": "log-wlb-sysmon"
    }

In logstash pipeline file i made few changes

output {
  if [@metadata][index_name] == "sysmon"
{
elasticsearch {
 hosts => ["http://elastic:9200"]
 ilm_rollover_alias => "log-wlb-sysmon"
 ilm_pattern => "000001"
 ilm_policy => "sysmon_policy"
}
}

then i restart the logstash and i see an index log-wlb-sysmon-000001 having 1 shards and zero replica
The question is why it dont have 3 shards and zero replica existing index have 3 shards and zero replica.
I am using elk stack 7.10.2

Can you post the entire index template you used please?

Hey @warkolm i created this template from kibana(stack management ->Inddex template->create legacy template)
This template i am seeing from kibana

{
  "index": {
    "lifecycle": {
      "name": "sysmon_policy",
      "rollover_alias": "log-wlb-sysmon"
    },
    "refresh_interval": "5s",
    "number_of_shards": "3",
    "number_of_replicas": "0"
  }
}

GET /_cat/templates/sysmon?v&pretty

name   index_patterns     order version composed_of
sysmon [log-wlb-sysmon-*] 0        

That doesn't match;

From what I can see.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.