Lokey92

## AUTHOR: Logan Tooley   ## 
## DATE: 20220615         ## 
## SCENARIO ################################################################################################################
# Imagine there's several indices that are on the warm data tier, all managed by an ILM policy. 
# An admin wants to roll them into a backup but doesn't want to lose the ILM policy nor run it through the hot phase again.
# In this particular instance we want to roll old filebeat-7.16.2-* indices. 
############################################################################################################################

## STEP 1: Create the backup index with the tier preference. This will still start in the hot phase.
## NOTE: It won't be a problem for the write index and it completes rollover automatically (using lifecycle.indexing_complete)

Lokey92

Considerations

• This guide assumes you already have a Windows Server established with the AD DS/DNS components installed and configured on the host.
• You will need to have the name and IP of the domain on hand.
• I am using Windows 10 Pro and Windows Server 2016.

Setting the DNS server address

1. On your windows host in the search bar, type in View network connections and open the match of the same name. You should see at the very least an Ethernet adapter.
2. Determine where your network is connected, in my case it was Ethernet, right click and open Properties.
3. In Properties, locate Internet Protocl Version 4 (TCP/IPv4) and highlight it and select Properties again.
4. In the IPV4 properties tick Use the following DNS server addresses and add your DNS server address to it.

Lokey92

# TEST: Use case of doc-value-only fields on search and aggregation.
# CONCLUSION: Aggregations and search are both readily supported on fields with doc_values disabled. There is a performance impact but storage is better. Ideally use this feature where search speed isn't important.
# DOCUMENTATION: https://www.elastic.co/guide/en/elasticsearch/reference/current/doc-values.html
# NOTES: Included a disabled doc value ("doc_values: false") field for reference to aggs. Aggs do not work on them.

# Copy/paste this into Kibana > Dev Tools to try it out yourself.

# Mapping doc-value-only fields, session_id and integer are both doc-value-only. 
PUT my-index-000001

Lokey92

# Runtime Painless Example - Retrieve two date fields, diff them, then output a DDHHMMSS time. 
GET .ds-ilm-history-*/_search
{
  "fields": ["date.diff.create-step"],
  "runtime_mappings": {
    "date.diff.create-step": {
      "type": "keyword",
      "script": {
        "source": """
        ZonedDateTime step = ZonedDateTime.ofInstant(doc['state.step_time'].value.toInstant(), ZoneId.of('Z'));

Lokey92

# Scenario: An Elastic stack developer built a transform and would like to monitor potential failures on it automatically using built-in alert features. 
# Solution: Using an advanced watch can periodically pass an API request to tell if a transform is down. 

# NOTE: This tutorial assumes the user knows how to create a transform, but there is an example available in the next steps to follow along if not.
# To use this tutorial easily, copy and paste the contents of this file into Dev Tools (Found under Management in the Kibana sidebar).

# More information on Elastic Watcher/Transform features may be found at the below links:
# https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html
# https://www.elastic.co/guide/en/kibana/current/watcher-ui.html