Error message when trying to configure state management policy with Visual Editor

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch = 2.9.0
dashboard = 2.9.0
server OS = Ubuntu 20.04.6 LTS
browser = Chrome Version 116.0.5845.96

Describe the issue:
I’m trying to set up a syslog server for our mainly Windows infrastructure and installed Winlogbeat on one of the Windows Servers for testing.
I’m logged as admin user in OpenDashboard and try to create a State Management Policy with the Visial Editor. I would like to delete indices after a certain period of time (for my test every Winlogbeat index older than 730 days).

When I create the policy, the drop down menu ‘Initial staté’ is empty, I can’t define a state. When I try to add a transition “Minimum index age is 730d” to “delete” state without an action, I get this message :

Error : Failed to create policy: [illegal_argument_exception] Policy contains a transition in state=default pointing to a nonexistent state=delete

When I try to add an action (see screenshot below), I get this error message :

Error : Failed to create policy: [illegal_argument_exception] State=default cannot contain transitions if using delete action

Relevant Logs or Screenshots:

I’m a newbie and tried to find out about states in the documentation and how to configure this, but I miss a list of existing states and their explanation. Can you help me figure out, how to configure this?

Thanks in advance, cheers,

You should add a delete state without any transition firstly:

, and then create a init state with not actions, with transition, and set the destination state to the delete state above:

Thanks a lot for your quick answer, I could create the policy like this. If I understand, it should delete indices older than 730d. I waited at least two hour and cluster health isn’t red as far as I understand. For now, it didn’t work so I wonder which date does it apply?

I ingested some very old logs here (creation date14/08/2023), is it their creation date that counts as min_index_age or the date indicated in the name of the index which depends on the time stamp?

Here’s the Policy setting:

I created the index pattern called winlogbeat* on the Discover page, too.

Thanks a lot for your work on this project and for your help,


It’s the creation date counts as min_index_age, so these indices have not entered the delete state, you can goto the Policy managed indices section to check the progress of ISM policy execution.

Thanks, I had a look to this section and there is nothing:
“There are no existing managed indices. Create a policy to add to an index.”
Does that mean my policy isn’t correctly configured?
Best regards,

Yeah, that means your policy has not been attached to any index, so you need to attach the policy, you can go to Indices section, select all the indices which have winlogbeat prefix and then click Apply policy button in the Actions menu. I think why the policy is not applied is that the ISM template in the policy only take effects when creating index, so for the existing indices, you need to apply the policy manually.

Yes, that’s it. The new indices created after the policy are now showing up int the “Policy managed indices” section.
Thanks a lot,