Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch = 2.9.0
dashboard = 2.9.0
server OS = Ubuntu 20.04.6 LTS
browser = Chrome Version 116.0.5845.96
Describe the issue:
I’m trying to set up a syslog server for our mainly Windows infrastructure and installed Winlogbeat on one of the Windows Servers for testing.
I’m logged as admin user in OpenDashboard and try to create a State Management Policy with the Visial Editor. I would like to delete indices after a certain period of time (for my test every Winlogbeat index older than 730 days).
Configuration:
When I create the policy, the drop down menu ‘Initial staté’ is empty, I can’t define a state. When I try to add a transition “Minimum index age is 730d” to “delete” state without an action, I get this message :
Error : Failed to create policy: [illegal_argument_exception] Policy contains a transition in state=default pointing to a nonexistent state=delete
When I try to add an action (see screenshot below), I get this error message :
Error : Failed to create policy: [illegal_argument_exception] State=default cannot contain transitions if using delete action
I’m a newbie and tried to find out about states in the documentation and how to configure this, but I miss a list of existing states and their explanation. Can you help me figure out, how to configure this?
Hi,
Thanks a lot for your quick answer, I could create the policy like this. If I understand, it should delete indices older than 730d. I waited at least two hour and cluster health isn’t red as far as I understand. For now, it didn’t work so I wonder which date does it apply?
I ingested some very old logs here (creation date14/08/2023), is it their creation date that counts as min_index_age or the date indicated in the name of the index which depends on the time stamp?
It’s the creation date counts as min_index_age, so these indices have not entered the delete state, you can goto the Policy managed indices section to check the progress of ISM policy execution.
Thanks, I had a look to this section and there is nothing:
“There are no existing managed indices. Create a policy to add to an index.”
Does that mean my policy isn’t correctly configured?
Best regards,
M.
Yeah, that means your policy has not been attached to any index, so you need to attach the policy, you can go to Indices section, select all the indices which have winlogbeat prefix and then click Apply policy button in the Actions menu. I think why the policy is not applied is that the ISM template in the policy only take effects when creating index, so for the existing indices, you need to apply the policy manually.
