Time based Indexes with the powers of ILM

Alamgir_Qazi · March 23, 2021, 5:21am

I want to get benefits of ILM (hot, warm, cold) features + the fixed size of indexes without changing the date/time index. Is this possible ?

E.g. I have an index events-2021-03-23 and I want ILM to create a new index like events-2021-03-23-00001, events-2021-03-23-00002 when the shards are all equal at 50GB.

Why I wanna do this?

We're ingesting 1TB+ data per day. Time based index means we query only for the limited time. With long-term retentions, this is a lot of data and I think its best if it stays in time-series format.

Alamgir_Qazi · March 23, 2021, 6:54am

This isn't spam

warkolm · March 23, 2021, 9:04am

The spam catching isn't super smart, we just have to approve stuff that's a false negative.

What you are saying is how ILM works. The only time it will create an index with a new timestamp is if the policy changes.

Alamgir_Qazi · March 23, 2021, 4:36pm

Most ILM I've seen for now don't use time-based indexes. they are more like firewall-events-00001,firewall-events-00002 from the examples.

What I'm looking for is firewall-events-2022-03-23-00001 and so on.

Christian_Dahlqvist · March 23, 2021, 4:58pm

I think you can have a date in the name but the sequence number will just increase and not reset per day.

Alamgir_Qazi · March 24, 2021, 5:54am

In that case, I just have 1 question

If I use ILM and store indexes as firewall-00001,firewall-00002 , will it give result in the same time If I use date range query on firewall-* compared to specifying the indexes firewall-2021-03-23,firewall-2021-03-24 ?

system · April 21, 2021, 5:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.