NOTE: The examples below are for when ECS support is enabled.
- Create an ILM policy named
elastiflowvia Kibana UI or via the Elasticsearch API (using Kibana Dev Tools). For example:
PUT _ilm/policy/elastiflow
{
"policy": {
"phases": {
"hot": {
"actions": {
"rollover": {
"max_primary_shard_size": "10GB",
"max_age": “1d”
}
}
},
"delete": {
"min_age": "7d",
"actions": {
"delete": {}
}
}
}
}
}
- Ensure that the ElastiFlow collector configuration includes the following options:
| option | value |
|---|---|
EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_PERIOD |
ilm |
EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_SUFFIX |
rollover |
EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_LIFECYCLE |
elastiflow |
EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_ROLLOVER_ALIAS |
elastiflow-flow-ecs-1.7-1.2-rollover |
-
Briefly start the collector to upload the index template. Stop it as soon as you see a message related to
elasticsearchandrunning. If any index was created when the collector was started, it MUST be deleted as it will conflict with the rollover alias. -
Bootstrap the initial write index.
PUT elastiflow-flow-ecs-1.7-1.2-rollover-000001
{
"aliases": {
"elastiflow-flow-ecs-1.7-1.2-rollover": {
"is_write_index": true
}
}
}
- Start the ElastiFlow collector. Indices will should rollover as configured in the ILM policy.