我正在尝试使用 Elasticsearch 输出插件为索引实现 ILM 以正确使用硬件。看起来我误解了 Logstash 如何管理 ILM。
我在 docker 中有 ELK 堆栈版本 7.1.0。X-Pack 由试用许可证激活。
索引模板由 Logstash Elasticsearch 输出插件管理,索引生命周期策略是使用 Kibana 创建的。
这是 Logstash 管道的输出部分:
output {
elasticsearch {
hosts => ["http://eshost:9200"]
user => "logstash_writer"
password => "pass"
template => "/usr/share/logstash/es_templates/ilm-template.json"
template_name => "ilm-template"
template_overwrite => true
ilm_enabled => true
ilm_rollover_alias => "ilm-index"
ilm_pattern => "000001"
ilm_policy => "base-policy"
}
}
用户logstash_writer具有具有 ILM 管理权限的默认角色logstash_writer。
Elasticsearch 索引模板ilm-template.json:
{
"settings" : {
"index.number_of_replicas" : "1",
"index.number_of_shards" : "1",
"index.refresh_interval" : "5s"
}
}
Logstash 实际创建的Elasticsearch 索引模板_template/ilm-template:
{
"ilm-template" : {
"order" : 0,
"index_patterns" : [
"ilm-index-*"
],
"settings" : {
"index" : {
"lifecycle" : {
"name" : "base-policy",
"rollover_alias" : "ilm-index"
},
"refresh_interval" : "5s",
"number_of_shards" : "1",
"number_of_replicas" : "1"
}
},
"mappings" : { },
"aliases" : { }
}
}
base-policy使用 Kibana 创建的策略:
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "100mb",
"max_docs": 100000
},
"set_priority": {
"priority": 100
}
}
},
"delete": {
"min_age": "2d",
"actions": {
"delete": {}
}
}
}
}
}
我期望索引集ilm-index-*,但只是ilm-index-000001创建并不断增长,尽管base-policy. 所以我只在 Kibana 中看到一个ilm-index-000001与base-policy.