I'm using elasticsearch and logstash version 7.3.0
I'm using logstash to output all logs to elasticsearch. Now I'm trying to use the rollover policy to delete indexes older than 3 days.
I defined policy in elasticsearch named hamada-7.3.0
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_age": "1d",
"max_size": "30gb"
}
}
},
"delete": {
"min_age": "3d",
"actions": {
"delete": {}
}
}
}
}
}
I have an index template, here is its setting:
{
"hamada" : {
"order" : 1,
"index_patterns" : [
"hamada*"
],
"settings" : {
"index" : {
"lifecycle" : {
"name" : "hamada-7.3.0",
"rollover_alias" : "hamada"
},
...
...
Now I want logstash to use an index that is created using hamada template and is managed by hamada-7.3.0 rollover policy
Here is my logstash output:
output {
elasticsearch {
hosts => "elasticsearch-master:9200"
template_name => "hamada"
ilm_enabled => "true"
ilm_policy => "hamada-7.3.0"
ilm_rollover_alias => "hamada"
ilm_pattern => "%{+yyyy.MM.dd}-000001"
codec => json {
charset => "ISO-8859-1"
}
}
The expected behaviour is when logstash push to an index, it uses ilm configurations. i.e. it pushes logs to an index that follows this pattern hamada-%{+yyyy.MM.dd}-000001 and is managed/controlled by rollover policy.
What actually happens, the created index is named hamada. There is no data or number in the name. and the policy is not applied to it.
So how can I create an index using rollover policy and index template using logstash?