0

我已经使用来自 AWS 的 logstash(在 EC2 上)和 ElasticSearch 服务设置了一个 ELk 堆栈。日志的来源来自 CloudWatch。我正在使用 Curator 5.8.1 来清理旧索引。

配置:

---
client:
  hosts:
    - vpc-elasticsearch-xxx.eu-xxx-x.es.amazonaws.com
  port: 443
  use_ssl: True
  ssl_no_validate: False
  timeout: 300

logging:
  loglevel: DEBUG

action.yml:

---
actions:
  1:
    action: delete_indices
    description: "Delete cloudwatch logs older than 7 days"
    options:
      timeout_override: 300
      continue_if_exception: False
      ignore_empty_list: True
      allow_ilm_indices: True
    filters:
      - filtertype: kibana
        exclude: True
      - filtertype: pattern
        kind: regex
        value: '^(cw-*).*$'
        exclude: True
      - filtertype: age
        source: creation_date
        direction: older
        unit: days
        unit_count: 7

CloudWatch 的索引出现在我的堆栈中,如下所示:

yellow open   cw-xxx-log-2020.07.13         B4NAbdsjQxuVLw0rxxxxx   5   1     751950            0      1.3gb          1.3gb
yellow open   cw-xx-xx-log-2020.07.16         YecRAK3hRGGYgwxQxxxx   5   1     584031            0        1gb            1gb

使用当前配置,我想在 1 周后删除它们。但正如你所见。上面的索引在我的集群中仍然可用,而它们已经超过 2 周。

这里有什么问题?

4

1 回答 1

0

您的操作配置错误,您有模式,这将使与模式匹配的每个索引都从可操作列表中exclude: True排除这是将应用操作(在这种情况下为删除操作)的目标索引列表.filtertype

尝试基于弹性示例的以下配置

# remove index that start with cw-
actions:
  1:
    action: delete_indices
    description: >-
      Remove Index that start with cw
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: prefix
      value: cw-
    - filtertype: age
      source: creation_date
      direction: older
      unit: days
      unit_count: 7
于 2020-08-11T14:19:11.777 回答