I have an index log-wlb-sysmon-2021.01.26 having 3 shards and zero replica its size is 30 mb.
Here is my sysmon index template
"refresh_interval": "5s",
"number_of_shards": "3",
"number_of_replicas": "0"
Now i want to use ilm policy for an existing index
so i created a ilm policy called sysmon_policy
PUT _ilm/policy/sysmon_policy
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "100mb",
"max_age": "1d"
},
"set_priority": {
"priority": 100
}
}
}
}
}
}
then i add ilm policy to existing sysmon index_template
"lifecycle": {
"name": "sysmon_policy",
"rollover_alias": "log-wlb-sysmon"
}
In logstash pipeline file i made few changes
output {
if [@metadata][index_name] == "sysmon"
{
elasticsearch {
hosts => ["http://elastic:9200"]
ilm_rollover_alias => "log-wlb-sysmon"
ilm_pattern => "000001"
ilm_policy => "sysmon_policy"
}
}
then i restart the logstash and i see an index log-wlb-sysmon-000001 having 1 shards and zero replica
The question is why it dont have 3 shards and zero replica existing index have 3 shards and zero replica.
I am using elk stack 7.10.2