Hello
We are trying to set up ILM for our ELK Stack(s) but are running into some issues.
The current scenario is as follows:
We previously had one ELK Stack for all of our environments but decided to split this up per environment. One the main ELK stack we still used curator even though it was deprecated after version 5 but it still worked. Now that these ELK stack(s) have been split up we want to configure ILM instead of using curator but are running into several issues.
The issues that we encounter are the following:
- We have over 50 indexes but only 7 templates that are installed by logstash. The reason for this is that we have a lot of applications but the logging for each and everyone of those is similar based on the log type (application, access, audit, ...)
- Before ILM this wasn't a problem but the implementation of ILM doesn't seem to be possible because we add the 'index.lifecycle.rollover_alias' for each template which is assigned to multiple index patterns
- After this when trying to create the initial 'time-series index' we get the error that the alias has more than one write index which is indeed what we are trying to do
Now my question is the following:
- Is it possible to implement ILM (we only have one policy) for all these different indices/index patterns using the limited amount of templates that we use? In other words, how can we implement ILM without needing a different template for each different index pattern?
I've read the documentation and implementing ILM is fairly easy but this specific scenario isn't talked about.
Any help would be greatly appreciated.
Kind regards
Jens Van Deynse