Serval indices were created with different timestamp upon using new winlogbeat template

Alaxwora · November 6, 2021, 10:03am

Hello,
I noted serval indices were created upon using my new winlogbeat template, and I already set ILM to rollover after 30 days or upon index size reaches 10 Giga but it seems that I made a mistake.

the following screenshot shows my problem

my winlogbeat.yml config

output.elasticsearch.index: "test-%{[agent.version]}-%{+yyyy.MM.dd}"

setup.ilm.enabled: false
setup.template.name: "test"
setup.template.pattern: "test-*"

ILM configuration

Template config

Thank you in advance for your consideration

stephenb · November 6, 2021, 4:06pm

This is a reason you're getting daily indexes because you gave it a daily index name.

Did you follow the steps here?

This should be pointing to the writer alias What you need to create the bootstrap index. See here

Or use

setup.ilm.rollover_alias see below

Also you need the ILM pattern etc see here

And of course these configurations need to be consistent within your winlogbeat and the template and ILM policy that you set up.

By the way I noticed you set up 21 primary shards I don't know if you're just testing but you would need to have some very extreme circumstances to use that in an effective manner.

system · December 4, 2021, 4:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.