Good Day!
We have the following question about the ILMs:
In our Elasticsearch Instance we are using the predefined default logs
-ILM to manage our data streams. It is configured to delete the logs-*
data streams after 90 days. So far so good everything works fine.
Now we would like to keep the logs with the index pattern logs-kubernetes.container_logs.eai-*
for 120 days. The problem is, that the logs ILM with the logs-*
index pattern will delete all logs after 90 days anyway! So creating a new ILM just for logs-kubernetes.container_logs.eai-*
to keep them for 120 won't work here - as I understand.
Is there an easy way to solve this without creating ganular ILMs for every data stream separately? We have in total 70 data streams with the logs-*
index pattern, that create huge amouts of data!
We have updated to Elasticsearch 8.17 btw.
Thank you kindly in advance!
You need to create a different ILM policy for just the datastream of logs-kubernetes.container_logs-*
.
The steps to do it are in this documentation.
Basically you will create your policy, then edit the logs-kubernetes.container_logs@custom
component template and rollover your datastreams.
This will be applied to every logs-kubernetes.container_logs-*
datastream, independent of the namespace.
@leandrojmp
YES, thank you, this is indeed exactly, what I need! I haven't used the right terms, so I haven't found this article