Skip to content

Instantly share code, notes, and snippets.

@robcowart

robcowart/elastiflow_5.4_ilm_rollover.md

Created April 28, 2022 07:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save robcowart/62d5c384f18b47973675f8c60d4f08ba to your computer and use it in GitHub Desktop.
Save robcowart/62d5c384f18b47973675f8c60d4f08ba to your computer and use it in GitHub Desktop.
Download ZIP
Raw
elastiflow_5.4_ilm_rollover.md

NOTE: The examples below are for when ECS support is enabled.

  1. Create an ILM policy named elastiflow via Kibana UI or via the Elasticsearch API (using Kibana Dev Tools). For example:
PUT _ilm/policy/elastiflow
{
  "policy": {
    "phases": {
      "hot": {                      
        "actions": {
          "rollover": {
            "max_primary_shard_size": "10GB",     
            "max_age": "1d"
          }
        }
      },
      "delete": {
        "min_age": "7d",           
        "actions": {
          "delete": {}              
        }
      }
    }
  }
}
  1. Ensure that the ElastiFlow collector configuration includes the following options:
option value
EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_PERIOD rollover
EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_LIFECYCLE elastiflow
EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_ROLLOVER_ALIAS elastiflow-flow-ecs-1.7-1.4-rollover

  1. Briefly start the collector to upload the index template. Stop it as soon as you see a message related to elasticsearch and running. If any index was created when the collector was started, it MUST be deleted as it will conflict with the rollover alias.

  2. Bootstrap the initial write index.

PUT elastiflow-flow-ecs-1.7-1.4-rollover-000001
{
  "aliases": {
    "elastiflow-flow-ecs-1.7-1.4-rollover": {
      "is_write_index": true
    }
  }
}
  1. Start the ElastiFlow collector. Indices should rollover as configured in the ILM policy.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment