Hello,
I am trying to implement rollover mechanism to my environments. Let me explain as is and to be design;
Log data stores in syslog-%{+YYYY.MM.dd} indices right now. I keep data for 3 days. No rollover - No warm or cold phase. It is going to delete phase directly. So this is the as is design and I have
syslog-2023-01-29
syslog-2023-01-30
syslog-2023-01-31
And I made some changes our ilm policy and apply rollover settings. It is running but there is a point;
I need to separate index for everyday. So I added these ILM pattern settings in my logstash conf shown as below
Result and Question;
syslog-2023-02-01-000001 => it is ok
syslog-2023-02-01-000002 => Why this pattern starts from 000002 ? How can I provide to start from 000001 when every new index created ? Is it normal behavior ?
The whole point of rollover is to allow new indices to be created based on age or size. This allows indices to cover a longer time period when data volumes are low and roll over more frequently during peak hours. This means that index creation will not align with specific points in time, e.g. change of date. These indices all have a suffix that will increment, which ensures a unique index name.
If you want to use rollover I would recommend not trying to control naming convention or exactly when rollover is performed. ILM will handle the lifecycle based on index metadata and not the name.
If you want indices to correspond to specific time periods, e.g. exactly a day per index, then do not use rollover and instead set the index name based on the event time as was commonly done before rollover became available.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.