BMC Helix Logging - BMC Helix IT Operations Management (ITOM) Deployment: How to Create an Elasticsearch Index Lifecycle Management (ILM) Policy to Limit the Number of logstash-* OR helix-* Indices Retained by the BMC Helix Logging System?

Knowledge Article

Article Number

000410548

Old Article Number

Article Type

FAQ/Procedural

Title

BMC Helix Logging - BMC Helix IT Operations Management (ITOM) Deployment: How to Create an Elasticsearch Index Lifecycle Management (ILM) Policy to Limit the Number of logstash-* OR helix-* Indices Retained by the BMC Helix Logging System?

Summary

Using Index Lifecycle Management to delete older indices

Product

BMC Helix Platform OnPrem Common Containers

Component

BMC Helix Platform OnPrem Common Containers

Applies to

All supported versions

Question

How to Create an Elasticsearch Index Lifecycle Management (ILM) Policy to Limit the Number of logstash-* OR helix-* Indices Retained by the BMC Helix Logging System

To prevent excessive disk usage and maintain cluster health, it's recommended to configure an ILM policy that automatically manages the retention of logstash-* and helix-* indices.

This solution becomes especially important if the following warning is observed in the EFK-related Helix Logging pods:

[WARN ][o.e.c.r.a.DiskThresholdMonitor] [efk-elasticsearch-master-0]
High disk watermark [90%] exceeded on [efk-elasticsearch-data-1][/bitnami/elasticsearch/data].
Free space: 1.8 GB [9.4%].
Shards will be relocated away from this node.
Currently relocating shards totaling [0] bytes.

If this warning appears, please proceed to configure an ILM policy as described to limit the number of retained indices and avoid disk pressure issues.

Answer

Please follow the below steps:

1) Log in to the Helix Logging Kibana UI and create the index data view as described in the Viewing Logs on Kibana section of the documentation.

2) Click on the three bars at the top left of the screen and scroll down to select the Dev Tools menu option.

3) Paste the JSON below into the Console changing the 7d value if you want to retain something other than 7 days of indices:

PUT _ilm/policy/BMC_logstash_cleanup
{
"policy": {
"phases": {
"hot": {
"actions": {
"set_priority": {
"priority": 100
}
},
"min_age": "0ms"
},
"delete": {
"min_age": "7d",
"actions": {
"delete": {}
}
}
}
}
}

4) Click on the first line and then the play icon that is displayed at the end of the line to create the policy:

5) Repeat the process using the JSON below to create an index template:

PUT _index_template/logstash_index_template
{
"index_patterns": ["logstash-*"],
"template": {
"settings": {
"index.lifecycle.name": "BMC_logstash_cleanup",
"index.lifecycle.rollover_alias": "logstash_ilm"
}
}
}

and again to apply the template to existing logstash-* indices:

PUT logstash-*/_settings
{
"index": {
"lifecycle": {
"name": "BMC_logstash_cleanup"
}
}
}

6) To verify that the policy is in place again click on the three bars and select Stack Management -> Index Management to list your current indices. Click on one of the logstash-* items and the index details, including the active lifecycle management policy, will be displayed:

Note: If a user having different indices name, then please replace the indices name accordingly:

For example, indices named "logstash-*"):

PUT _ilm/policy/BMC_logstash_cleanup
{
"policy": {
"phases": {
"hot": {
"actions": {
"set_priority": {
"priority": 100
}
},
"min_age": "0ms"
},
"delete": {
"min_age": "7d",
"actions": {
"delete": {}
}
}
}
}
}

PUT _index_template/logstash_index_template
{
"index_patterns": ["helix-*"],
"template": {
"settings": {
"index.lifecycle.name": "BMC_logstash_cleanup",
"index.lifecycle.rollover_alias": "logstash_ilm"
}
}
}

PUT helix-*/_settings
{
"index": {
"lifecycle": {
"name": "BMC_logstash_cleanup"
}
}
}

Attachment(s):