BMC Helix Logging - OnPrem - Using Index Lifecycle Management to delete older indices

Knowledge Article

BMC Helix Logging - OnPrem - Using Index Lifecycle Management to delete older indices
Using Index Lifecycle Management to delete older indices
BMC Helix Platform OnPrem Common Containers
BMC Helix Platform OnPrem Common Containers
All supported versions
BMC Helix Platform OnPrem Common Containers
BMC Helix Platform OnPrem Common Containers
All supported versions
How to create an Elasticsearch Index Lifecycle Management (ILM) policy to limit the number of logstash-* indices retained by the BMC Helix Logging system?
 
This solution may be required when the following Warnings are observed in the EFK-* related Helix Logging Pods:
 
[WARN ][o.e.c.r.a.DiskThresholdMonitor] [efk-elasticsearch-master-0] high disk watermark [90%] exceeded on [efk-elasticsearch-data-1][/bitnami/elasticsearch/data] free: 1.8gb[9.4%], shards will be relocated away from this node; currently relocating away shards totalling [0] bytes; the node is expected to continue to exceed the high disk watermark when these relocations are complete

1) Login to the Helix Logging Kibana UI and create the index data view as described in the Viewing Logs on Kibana section of the documentation.


2) Click on the three bars at the top left of the screen and scroll down to select the Dev Tools menu option.



3) Paste the JSON below into the Console changing the 7d value if you want to retain something other than 7 days of indices:

PUT _ilm/policy/BMC_logstash_cleanup
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "set_priority": {
            "priority": 100
          }
        },
        "min_age": "0ms"
      },
      "delete": {
        "min_age": "7d",
        "actions": {
          "delete": {}
        }
      }
    }
  }
}

4) Click on the first line and then the play icon that is displayed at the end of the line to create the policy:



5) Repeat the process using the JSON below to create an index template:

PUT _index_template/logstash_index_template
{
  "index_patterns": ["logstash-*"], 
  "template": {
    "settings": {
      "index.lifecycle.name": "BMC_logstash_cleanup", 
      "index.lifecycle.rollover_alias": "logstash_ilm" 
    }
  }
}

and again to apply the template to existing logstash-* indices:

PUT logstash-*/_settings 
{
  "index": {
    "lifecycle": {
      "name": "BMC_logstash_cleanup"
    }
  }
}

6) To verify that the policy is in place again click on the three bars and select Stack Management -> Index Management to list your current indices.  Click on one of the logstash-* items and the index details, including the active lifecycle management policy, will be displayed:



Note: If a user having different indices name, then please replace the indices name accordingly:

For example, indices named "logstash-*"):

PUT _ilm/policy/BMC_logstash_cleanup
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "set_priority": {
            "priority": 100
          }
        },
        "min_age": "0ms"
      },
      "delete": {
        "min_age": "7d",
        "actions": {
          "delete": {}
        }
      }
    }
  }
}


PUT _index_template/logstash_index_template
{
  "index_patterns": ["helix-*"], 
  "template": {
    "settings": {
      "index.lifecycle.name": "BMC_logstash_cleanup", 
      "index.lifecycle.rollover_alias": "logstash_ilm" 
    }
  }
}

PUT helix-*/_settings 
{
  "index": {
    "lifecycle": {
      "name": "BMC_logstash_cleanup"
    }
  }
}
BMC Helix Platform OnPrem Common Containers
BMC Helix Platform OnPrem Common Containers
All supported versions
Attachment(s):