Open
Description
openedon Dec 1, 2023
Describe the feature:
Currently in 8.11.1, `.alerts-ilm-policy` policy is installed by kibana
# GET _ilm/policy/.alerts-ilm-policy 200 OK
{
".alerts-ilm-policy": {
"version": 1,
"modified_date": "2023-12-01T10:55:10.913Z",
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_age": "30d",
"max_primary_shard_size": "50gb"
}
}
}
},
"_meta": {
"managed": true
}
},
"in_use_by": {
"indices": [
".internal.alerts-observability.metrics.alerts-default-000001",
".internal.alerts-observability.logs.alerts-default-000001",
".internal.alerts-observability.uptime.alerts-default-000001",
".internal.alerts-observability.threshold.alerts-default-000001",
".internal.alerts-ml.anomaly-detection.alerts-default-000001",
".internal.alerts-observability.slo.alerts-default-000001",
".internal.alerts-security.alerts-default-000001",
".internal.alerts-observability.apm.alerts-default-000001",
".internal.alerts-stack.alerts-default-000001"
],
"data_streams": [],
"composable_templates": [
".alerts-observability.threshold.alerts-default-index-template",
".alerts-observability.slo.alerts-default-index-template",
".alerts-ml.anomaly-detection.alerts-default-index-template",
".alerts-observability.uptime.alerts-default-index-template",
".alerts-observability.logs.alerts-default-index-template",
".alerts-stack.alerts-default-index-template",
".alerts-observability.apm.alerts-default-index-template",
".alerts-security.alerts-default-index-template",
".alerts-observability.metrics.alerts-default-index-template"
]
}
}
}
This rolls over the indices after 30 days or 50gb but does not move indices to warm/cold/frozen/delete steps - eventually causing hot nodes to run out of disk space
Generally built-in ILM policies provided by elasticsearch can be customer per doc
However kibana currently (tested in 8.11.1
) overrides .alerts-ilm-policy
policy on restart hence there is no support to customise this ILM policy, hence the indices need to be managed by external tool to move to warm or delete old rolled over indices (curator for example)
Describe a specific use case for the feature:
Support for customising .alerts-ilm-policy
policy to allow to move managed indices to wam/cold/frozen/delete steps
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment