Advice for ElastAlert Index Lifecycle Management? #2785
Comments
|
I searched for an example of Index Lifecycle Management. I found that I was trying to do something similar, but there seems to be no case for Index Lifecycle Management. Added elastalert_status index timestamping #945 |
I'm using current indexes as index write alias and index alias. That might need a little tweak with ElastAlert source code. If you're willing to maintain another downstream source, then ya, that's possible. |
Could anyone share advice on setting up ILM for ElastAlert?
I'm on 7.6 Elasticsearch. I'm very confused on how ILM is supposed to work with ElastAlert. I can't seem to enable rollover because there seems to be '_status' hardcoded to the end of ElastAlert indices, and if I try to make the index have a date or number at the end elastalert freaks out saying it can't find the index it needs.
It may be that I don't understand ILM well enough yet, but I can say it would be nice if Elastalert had a) only one index to deal with and b) you could name that index anything you wanted (i.e. no hardcoded index names, or partially hardcoded index names).
If anyone could share advice on how they are doing ILM with ElastAlert I would appreciate it.
The text was updated successfully, but these errors were encountered: