Create an Elasticsearch index lifecycle management (ILM) policy

WARNING

If you don't use an ILM policy, and you keep forwarding data to Elastic, then you will eventually run out of disk space.

Here is a starter policy:

PUT _ilm/policy/cicspa-ilm-policy
{
  "policy": {
    "phases": {
      "hot": {
        "min_age": "0ms",
        "actions": {
          "rollover": {
            "max_primary_shard_size": "10gb",
            "max_age": "10d"
          },
          "set_priority": {
            "priority": 100
          }
        }
      },
      "warm": {
        "min_age": "10d",
        "actions": {
          "set_priority": {
            "priority": 50
          }
        }
      },
      "delete": {
        "min_age": "20d",
        "actions": {
          "delete": {
            "delete_searchable_snapshot": true
          }
        }
      }
    }
  }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

TIP

You can paste this definition into the Kibana console. In Kibana, select Management ▶ Dev Tools ▶ Console.

This starter policy is designed for use with data streams. The policy contains a rollover action that triggers the creation of a new backing index for the data stream either when the primary shard size reaches 10 GB, or 10 days after the current backing index was created, whichever occurs first.

This starter policy deletes indices 20 days after rollover.

This policy is a starter only. Create a policy that matches your organization's requirements and available disk space.

For details on creating index lifecycle policies and associating them with indices, see the Elastic Stack ILM documentationopen in new window.

Last Updated:
Contributors: Daniel Lalwet, Viaceslavas Michalkevicius