Hello together,
Normally we run the following scenario in our elasticserach:
Index template with rollover alias and lifecycle policy. So for example
Alias: testindex
Index: testindex-000001 (current write index for the alias testindex)
Logstash only knows the alias and always writes to the testindex)
Now I forgot to create the index template and the first index (with suffix -000001) for one index in advance:
Since neither index nor alias existed, the logstash has now created the index: testindex. Which of course is not being rolled over. The index is now about 500GB big and I would like to make an rollover now.
Index Template I am able to create. And now I would have to reindex the current testindex with 500gb (or however I should do that) into an index: testindex-000001 Then delete testindex and set testindex as alias for testindex-000001. Then the ilm should take effect and do a rollover.
In general I would manage this, but the problem is that the logstash is sending new logs all the time and I don't know how to do this without losing data. Unfortunately I can not stop the logstash
I hope it is understandable and someone has an idea how I can best do this 
And yes I know, the index is actually already way too big with 500Gb, but that's a problem for later...