Rollover daily indexes

pbmsys · April 25, 2017, 12:54pm

Hi.

I am currently looking into the rollover feature in elasticsearch.
At the moment i have timebased indexes from filebeats, eg: filebeat.2017-25-05

I would actually like to still keep filebeat create a new daily index and the the rollover to split these when they reach a certain amount of documents.

But cant figure out from the documentation if this is possible?

Thanks in advance
Peter

theuntergeek · April 25, 2017, 3:06pm

If I understand you correctly, you want a daily alias, with rolling indices underneath? Like this?

daily-2017.04.23-1
    daily-2017.04.23-000001
    daily-2017.04.23-000002
    daily-2017.04.23-000003
    ....
daily-2017.04.24-1
    daily-2017.04.24-000001
    daily-2017.04.24-000002
    daily-2017.04.24-000003
    ....
daily-2017.04.25-1
    daily-2017.04.25-000001
    daily-2017.04.25-000002
    daily-2017.04.25-000003
    ....

Something like this? While it is possible, it is not automatic. You would have to use some process to make the daily indices/aliases before the rollover time came, so that Beats could just point to it without having to think about it, otherwise Beats would create a new index named daily-YYYY.MM.DD-1 instead of pointing at a rollover-capable alias.

pbmsys · April 26, 2017, 6:07am

@theuntergeek
You got the structure just right.
That answers the question, i dont know i am that confident on relaying on a schedulet job

Thank you

Christian_Dahlqvist · April 26, 2017, 6:15am

You can set indices to roll over based on document count and/or time, so you could set it up with a pure rolling index and still make sure no index contains data for more than one day if that is the granularity you need in order to manage retention.

pbmsys · April 26, 2017, 6:28am

@Christian_Dahlqvist
That could be an option.
Just have to make sure Curator dont nuke that index.

Nice idea.

pbmsys · May 2, 2017, 7:56am

@Christian_Dahlqvist

How would you control the index-name from logstash when it does a rollover each day and each time it reaches a document count?

/Peter

Christian_Dahlqvist · May 2, 2017, 7:59am

The rollover mechanism controls the underlying index names and Logstash will be indexing into a single write alias. Look at this blog post and the documentation for more details.

system · May 30, 2017, 8:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Index not rolling over automatically each day Logstash	2	655	January 7, 2020
Elasticsearch Index Rollover Elasticsearch	4	386	November 27, 2019
Index Rollover for time based indexes Elasticsearch	1	423	May 2, 2019
Daily Indexing (at Midnight) Elasticsearch	7	1304	June 10, 2021
Logstash Output to Elasticsearch Alias using Rollover API Logstash	3	5078	October 21, 2018

Rollover daily indexes

Related topics