问题描述
我已经使用logstash(在EC2上)和来自AWS的ElasticSearch Service设置了ELk堆栈。日志来源来自CloudWatch。我正在使用Curator 5.8.1清理旧索引。
配置:
---
client:
hosts:
- vpc-elasticsearch-xxx.eu-xxx-x.es.amazonaws.com
port: 443
use_ssl: True
ssl_no_validate: False
timeout: 300
logging:
loglevel: DEBUG
action.yml:
---
actions:
1:
action: delete_indices
description: "Delete cloudwatch logs older than 7 days"
options:
timeout_override: 300
continue_if_exception: False
ignore_empty_list: True
allow_ilm_indices: True
filters:
- filtertype: kibana
exclude: True
- filtertype: pattern
kind: regex
value: '^(cw-*).*$'
exclude: True
- filtertype: age
source: creation_date
direction: older
unit: days
unit_count: 7
CloudWatch的索引显示在我的堆栈中,如下所示:
yellow open cw-xxx-log-2020.07.13 B4NAbdsjQxuVLw0rxxxxx 5 1 751950 0 1.3gb 1.3gb
yellow open cw-xx-xx-log-2020.07.16 YecRAK3hRGGYgwxQxxxx 5 1 584031 0 1gb 1gb
使用当前配置,我想在1周后删除它们。但是如您所见。上面的索引在2周之前仍然可以在我的集群中使用。
这是怎么了?
解决方法
您的操作配置有误,您为exclude: True
模式使用了filtertype
,这会使与模式匹配的每个索引都为excluded from the actionable list,这是目标索引的列表,其中操作,在这种情况下为删除操作。
尝试基于elastic example
的以下配置# remove index that start with cw-
actions:
1:
action: delete_indices
description: >-
Remove Index that start with cw
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: cw-
- filtertype: age
source: creation_date
direction: older
unit: days
unit_count: 7