166 lines
5.7 KiB
Plaintext
166 lines
5.7 KiB
Plaintext
[role="xpack"]
|
||
|
||
[[example-using-index-lifecycle-policy]]
|
||
=== Tutorial: Manage {filebeat} time-based indices
|
||
++++
|
||
<titleabbrev>Manage {filebeat} time-based indices</titleabbrev>
|
||
++++
|
||
|
||
With {ilm} ({ilm-init}), you can create policies that perform actions automatically
|
||
on indices as they age and grow. {ilm-init} policies help you to manage
|
||
performance, resilience, and retention of your data during its lifecycle. This tutorial shows
|
||
you how to use {kib}’s *Index Lifecycle Policies* to modify and create {ilm-init}
|
||
policies. You can learn more about all of the actions, benefits, and lifecycle
|
||
phases in the <<overview-index-lifecycle-management, {ilm-init} overview>>.
|
||
|
||
|
||
[discrete]
|
||
[[example-using-index-lifecycle-policy-scenario]]
|
||
==== Scenario
|
||
|
||
You’re tasked with sending syslog files to an {es} cluster. This
|
||
log data has the following data retention guidelines:
|
||
|
||
* Keep logs on hot data nodes for 30 days
|
||
* Roll over to a new index if the size reaches 50GB
|
||
* After 30 days:
|
||
** Move the logs to warm data nodes
|
||
** Set <<glossary-replica-shard, replica shards>> to 1
|
||
** <<indices-forcemerge, Force merge>> multiple index segments to free up the space used by deleted documents
|
||
* Delete logs after 90 days
|
||
|
||
|
||
[discrete]
|
||
[[example-using-index-lifecycle-policy-prerequisites]]
|
||
==== Prerequisites
|
||
|
||
To complete this tutorial, you'll need:
|
||
|
||
* An {es} cluster with hot and warm nodes configured for shard allocation
|
||
awareness.
|
||
|
||
** {ess}:
|
||
Choose the {cloud}/ec-getting-started-templates-hot-warm.html[hot-warm architecture] deployment template.
|
||
|
||
** Self-managed cluster:
|
||
Add node attributes as described for {ref}/shard-allocation-filtering.html[shard allocation filtering].
|
||
+
|
||
For example, you can set this in your `elasticsearch.yml` for each data node:
|
||
+
|
||
[source,yaml]
|
||
--------------------------------------------------------------------------------
|
||
node.attr.data: "warm"
|
||
--------------------------------------------------------------------------------
|
||
|
||
* A server with {filebeat} installed and configured to send logs to the `elasticsearch`
|
||
output as described in {filebeat-ref}/filebeat-getting-started.html[Getting Started with {filebeat}].
|
||
|
||
[discrete]
|
||
[[example-using-index-lifecycle-policy-view-fb-ilm-policy]]
|
||
==== View the {filebeat} {ilm-init} policy
|
||
|
||
{filebeat} includes a default {ilm-init} policy that enables rollover. {ilm-init}
|
||
is enabled automatically if you’re using the default `filebeat.yml` and index template.
|
||
|
||
To view the default policy in {kib}:
|
||
|
||
. Go to Management and select *Index Lifecycle Policies*.
|
||
. Search for _filebeat_
|
||
. Select the _filebeat-version_ policy.
|
||
|
||
This policy initiates the rollover action when the index size reaches 50GB or
|
||
becomes 30 days old.
|
||
|
||
[role="screenshot"]
|
||
image::images/ilm/tutorial-ilm-hotphaserollover-default.png["Default policy"]
|
||
|
||
|
||
[discrete]
|
||
==== Modify the policy
|
||
|
||
The default policy is enough to prevent the creation of many tiny daily indices.
|
||
You can modify the policy to meet more complex requirements.
|
||
|
||
. Activate the warm phase.
|
||
+
|
||
--
|
||
[role="screenshot"]
|
||
image::images/ilm/tutorial-ilm-modify-default-warm-phase-rollover.png["Modify to add warm phase"]
|
||
|
||
.. Set one of the following options to control when the index moves to the warm phase:
|
||
|
||
*** Provide a value for *Timing for warm phase*. Setting this to *15* keeps the
|
||
indices on hot nodes for a range of 15-45 days, depending on when the initial
|
||
rollover occurred.
|
||
|
||
*** Enable *Move to warm phase on rollover*. The index might move to the warm phase
|
||
more quickly than intended if it reaches the *Maximum index size* before the
|
||
the *Maximum age*.
|
||
|
||
.. In the *Select a node attribute to control shard allocation* dropdown, select
|
||
*data:warm(2)* to migrate shards to warm data nodes.
|
||
|
||
.. Change *Number of replicas* to *1*.
|
||
|
||
.. Enable *Force merge data* and set *Number of segments* to *1*.
|
||
|
||
NOTE: When rollover is enabled in the hot phase, action timing in the other phases
|
||
is based on the rollover date.
|
||
--
|
||
|
||
. Activate the delete phase and set *Timing for delete phase* to *90* days.
|
||
+
|
||
[role="screenshot"]
|
||
image::images/ilm/tutorial-ilm-delete-rollover.png["Add a delete phase"]
|
||
|
||
[discrete]
|
||
==== Create a custom policy
|
||
|
||
If meeting a specific retention time period is most important, you can create a
|
||
custom policy. For this option, you use {filebeat} daily indices without
|
||
rollover.
|
||
|
||
To create a custom policy:
|
||
|
||
. Go to Management and select *Index Lifecycle Policies*.
|
||
. Click *Create policy*.
|
||
. Activate the warm phase and configure it as follows:
|
||
+
|
||
--
|
||
**Timing for warm phase**: 30 days from index creation
|
||
|
||
**Node attribute**: `data:warm`
|
||
|
||
**Number of replicas**: 1
|
||
|
||
**Force merge data**: enable
|
||
|
||
**Number of segments**: 1
|
||
|
||
[role="screenshot"]
|
||
image::images/ilm/tutorial-ilm-custom-policy.png["Modify the custom policy to add a warm phase"]
|
||
--
|
||
|
||
. Activate the delete phase and set the timing to 90 days.
|
||
+
|
||
[role="screenshot"]
|
||
image::images/ilm/tutorial-ilm-delete-phase-creation.png["Delete phase"]
|
||
|
||
To configure the index to use the new policy:
|
||
|
||
. Go to Management and select *Index Lifecycle Policies*.
|
||
. Find your {ilm-init} policy and click its *Actions* link.
|
||
. Choose *Add policy to index template*.
|
||
. Select your {filebeat} index template name from the *Index template* list. For example, `filebeat-7.5.x`.
|
||
. Click *Add Policy* to save the changes.
|
||
+
|
||
NOTE: If you initially used the default {filebeat} {ilm-init} policy, you will
|
||
see a notice that the template already has a policy associated with it. Confirm
|
||
that you want to overwrite that configuration.
|
||
|
||
When you change the policy associated with the index template, the active
|
||
index will continue to use the policy it was associated with at index creation
|
||
unless you manually update it. The next new index will use the updated policy.
|
||
For more reasons that your {ilm-init} policy changes might be delayed, see
|
||
<<update-lifecycle-policy, Update Lifecycle Policy>>.
|