I am using ELK 7.10.2 OSS version. I have enabled metricbeat and created below policy to delete it’s index after 15 days.
{
"policy_id": "beat_delete_policy",
"description": "Policy that change the state of index to delete if that index gets older than month",
"last_updated_time": 1597387198453,
"schema_version": 1,
"error_notification": null,
"default_state": "new",
"states": [
{
"name": "old",
"actions": [
{
"delete": {}
}
],
"transitions": []
},
{
"name": "new",
"actions": [],
"transitions": [
{
"state_name": "notNew",
"conditions": {
"min_index_age": "7d"
}
}
]
},
{
"name": "notNew",
"actions": [],
"transitions": [
{
"state_name": "old",
"conditions": {
"min_index_age": "15d"
}
}
]
}
],
"ism_template": null
}
I also have a tempalte to make sure all newly created metricbeat indexes also follow the above policy. Although there seems to be problem with the template because the policy is not getting deleted in 15 days. Also if I use GET api to check _settings of metricbeat index, they have policy already applied.
Template :
PUT _template/metricbeat-policy
{
"index_patterns": ["metricbeat-*"],
"settings": {
"opendistro.index_state_management.policy_id": "beat_delete_policy"
}
}
GET metricbeat-7.10.2-2021.03.29/_settings
Below is the output of above query.
{
"metricbeat-7.10.2-2021.03.29" : {
"settings" : {
"index" : {
"codec" : "best_compression",
"mapping" : {
"total_fields" : {
"limit" : "10000"
}
},
"opendistro" : {
"index_state_management" : {
"policy_id" : "beat_delete_policy"
}
},
"refresh_interval" : "5s",
"number_of_shards" : "1",
"provided_name" : "metricbeat-7.10.2-2021.03.29",
"max_docvalue_fields_search" : "200",
"query" : {
"default_field" : [
"message",
"tags",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"as.organization.name",
"client.address",
"client.as.organization.name",
"client.domain",
"client.geo.city_name",
"client.geo.continent_name",
"client.geo.country_iso_code",
"client.geo.country_name",
"client.geo.name",
"client.geo.region_iso_code",
"client.geo.region_name",
"client.mac",
"client.registered_domain",
"client.top_level_domain",
"client.user.domain",
"client.user.email",
"client.user.full_name",
"client.user.group.domain",
"client.user.group.id",
"client.user.group.name",
"client.user.hash",
"client.user.id",
"client.user.name",
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"container.id",
"container.image.name",
"container.image.tag",
"container.name",
"container.runtime",
"destination.address",
"destination.as.organization.name",
"destination.domain",
"destination.geo.city_name",
"destination.geo.continent_name",
"destination.geo.country_iso_code",
"destination.geo.country_name",
"destination.geo.name",
"destination.geo.region_iso_code",
"destination.geo.region_name",
"destination.mac",
"destination.registered_domain",
"destination.top_level_domain",
"destination.user.domain",
"destination.user.email",
"destination.user.full_name",
"destination.user.group.domain",
"destination.user.group.id",
"destination.user.group.name",
"destination.user.hash",
"destination.user.id",
"destination.user.name",
"dns.answers.class",
"dns.answers.data",
"dns.answers.name",
"dns.answers.type",
"dns.header_flags",
"dns.id",
"dns.op_code",
"dns.question.class",
"dns.question.name",
"dns.question.registered_domain",
"dns.question.subdomain",
"dns.question.top_level_domain",
"dns.question.type",
"dns.response_code",
"dns.type",
"ecs.version",
"error.code",
"error.id",
"error.message",
"error.stack_trace",
"error.type",
"event.action",
"event.category",
"event.code",
"event.dataset",
"event.hash",
"event.id",
"event.kind",
"event.module",
"event.original",
"event.outcome",
"event.provider",
"event.timezone",
"event.type",
"file.device",
"file.directory",
"file.extension",
"file.gid",
"file.group",
"file.hash.md5",
"file.hash.sha1",
"file.hash.sha256",
"file.hash.sha512",
"file.inode",
"file.mode",
"file.name",
"file.owner",
"file.path",
"file.target_path",
"file.type",
"file.uid",
"geo.city_name",
"geo.continent_name",
"geo.country_iso_code",
"geo.country_name",
"geo.name",
"geo.region_iso_code",
"geo.region_name",
"group.domain",
"group.id",
"group.name",
"hash.md5",
"hash.sha1",
"hash.sha256",
"hash.sha512",
"host.architecture",
"host.geo.city_name",
"host.geo.continent_name",
"host.geo.country_iso_code",
"host.geo.country_name",
"host.geo.name",
"host.geo.region_iso_code",
"host.geo.region_name",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.full",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.type",
"host.user.domain",
"host.user.email",
"host.user.full_name",
"host.user.group.domain",
"host.user.group.id",
"host.user.group.name",
"host.user.hash",
"host.user.id",
"host.user.name",
"http.request.body.content",
"http.request.method",
"http.request.referrer",
"http.response.body.content",
"http.version",
"log.level",
"log.logger",
"log.origin.file.name",
"log.origin.function",
"log.original",
"log.syslog.facility.name",
"log.syslog.severity.name",
"network.application",
"network.community_id",
"network.direction",
"network.iana_number",
"network.name",
"network.protocol",
"network.transport",
"network.type",
"observer.geo.city_name",
"observer.geo.continent_name",
"observer.geo.country_iso_code",
"observer.geo.country_name",
"observer.geo.name",
"observer.geo.region_iso_code",
"observer.geo.region_name",
"observer.hostname",
"observer.mac",
"observer.name",
"observer.os.family",
"observer.os.full",
"observer.os.kernel",
"observer.os.name",
"observer.os.platform",
"observer.os.version",
"observer.product",
"observer.serial_number",
"observer.type",
"observer.vendor",
"observer.version",
"organization.id",
"organization.name",
"os.family",
"os.full",
"os.kernel",
"os.name",
"os.platform",
"os.version",
"package.architecture",
"package.checksum",
"package.description",
"package.install_scope",
"package.license",
"package.name",
"package.path",
"package.version",
"process.args",
"text",
"process.executable",
"process.hash.md5",
"process.hash.sha1",
"process.hash.sha256",
"process.hash.sha512",
"process.name",
"text",
"text",
"text",
"text",
"text",
"process.thread.name",
"process.title",
"process.working_directory",
"server.address",
"server.as.organization.name",
"server.domain",
"server.geo.city_name",
"server.geo.continent_name",
"server.geo.country_iso_code",
"server.geo.country_name",
"server.geo.name",
"server.geo.region_iso_code",
"server.geo.region_name",
"server.mac",
"server.registered_domain",
"server.top_level_domain",
"server.user.domain",
"server.user.email",
"server.user.full_name",
"server.user.group.domain",
"server.user.group.id",
"server.user.group.name",
"server.user.hash",
"server.user.id",
"server.user.name",
"service.ephemeral_id",
"service.id",
"service.name",
"service.node.name",
"service.state",
"service.type",
"service.version",
"source.address",
"source.as.organization.name",
"source.domain",
"source.geo.city_name",
"source.geo.continent_name",
"source.geo.country_iso_code",
"source.geo.country_name",
"source.geo.name",
"source.geo.region_iso_code",
"source.geo.region_name",
"source.mac",
"source.registered_domain",
"source.top_level_domain",
"source.user.domain",
"source.user.email",
"source.user.full_name",
"source.user.group.domain",
"source.user.group.id",
"source.user.group.name",
"source.user.hash",
"source.user.id",
"source.user.name",
"threat.framework",
"threat.tactic.id",
"threat.tactic.name",
"threat.tactic.reference",
"threat.technique.id",
"threat.technique.name",
"threat.technique.reference",
"tracing.trace.id",
"tracing.transaction.id",
"url.domain",
"url.extension",
"url.fragment",
"url.full",
"url.original",
"url.password",
"url.path",
"url.query",
"url.registered_domain",
"url.scheme",
"url.top_level_domain",
"url.username",
"user.domain",
"user.email",
"user.full_name",
"user.group.domain",
"user.group.id",
"user.group.name",
"user.hash",
"user.id",
"user.name",
"user_agent.device.name",
"user_agent.name",
"text",
"user_agent.original",
"user_agent.os.family",
"user_agent.os.full",
"user_agent.os.kernel",
"user_agent.os.name",
"user_agent.os.platform",
"user_agent.os.version",
"user_agent.version",
"text",
"agent.hostname",
"timeseries.instance",
"cloud.project.id",
"cloud.image.id",
"host.os.build",
"host.os.codename",
"kubernetes.pod.name",
"kubernetes.pod.uid",
"kubernetes.namespace",
"kubernetes.node.name",
"kubernetes.replicaset.name",
"kubernetes.deployment.name",
"kubernetes.statefulset.name",
"kubernetes.container.name",
"kubernetes.container.image",
"jolokia.agent.version",
"jolokia.agent.id",
"jolokia.server.product",
"jolokia.server.version",
"jolokia.server.vendor",
"jolokia.url",
"metricset.name",
"service.address",
"service.hostname",
"type",
"systemd.fragment_path",
"systemd.unit",
"aerospike.namespace.name",
"aerospike.namespace.node.host",
"aerospike.namespace.node.name",
"apache.status.hostname",
"beat.id",
"beat.type",
"beat.state.output.name",
"beat.state.queue.name",
"beat.stats.libbeat.output.type",
"ceph.cluster_health.overall_status",
"ceph.cluster_health.timechecks.round.status",
"ceph.mgr_osd_pool_stats.pool_name",
"ceph.monitor_health.health",
"ceph.monitor_health.name",
"ceph.osd_df.name",
"ceph.osd_df.device_class",
"ceph.osd_tree.name",
"ceph.osd_tree.type",
"ceph.osd_tree.children",
"ceph.osd_tree.status",
"ceph.osd_tree.device_class",
"ceph.osd_tree.father",
"ceph.pool_disk.name",
"couchbase.bucket.name",
"couchbase.bucket.type",
"couchbase.node.hostname",
"docker.container.command",
"docker.container.status",
"docker.container.tags",
"docker.event.status",
"docker.event.id",
"docker.event.from",
"docker.event.type",
"docker.event.action",
"docker.event.actor.id",
"docker.healthcheck.status",
"docker.healthcheck.event.output",
"docker.image.id.current",
"docker.image.id.parent",
"docker.image.tags",
"docker.info.id",
"docker.network.interface",
"elasticsearch.cluster.name",
"elasticsearch.cluster.id",
"elasticsearch.cluster.state.id",
"elasticsearch.node.id",
"elasticsearch.node.name",
"elasticsearch.ccr.leader.index",
"elasticsearch.ccr.follower.index",
"elasticsearch.cluster.stats.status",
"elasticsearch.index.name",
"elasticsearch.index.recovery.type",
"elasticsearch.index.recovery.stage",
"elasticsearch.index.recovery.target.id",
"elasticsearch.index.recovery.target.host",
"elasticsearch.index.recovery.target.name",
"elasticsearch.index.recovery.source.id",
"elasticsearch.index.recovery.source.host",
"elasticsearch.index.recovery.source.name",
"elasticsearch.ml.job.id",
"elasticsearch.ml.job.state",
"elasticsearch.node.version",
"elasticsearch.node.jvm.version",
"elasticsearch.cluster.pending_task.source",
"elasticsearch.shard.state",
"elasticsearch.shard.relocating_node.name",
"etcd.api_version",
"etcd.leader.leader",
"etcd.self.id",
"etcd.self.leaderinfo.leader",
"etcd.self.leaderinfo.starttime",
"etcd.self.leaderinfo.uptime",
"etcd.self.name",
"etcd.self.starttime",
"etcd.self.state",
"golang.expvar.cmdline",
"golang.heap.cmdline",
"graphite.server.example",
"haproxy.stat.status",
"haproxy.stat.service_name",
"haproxy.stat.cookie",
"haproxy.stat.load_balancing_algorithm",
"haproxy.stat.check.status",
"haproxy.stat.check.health.last",
"haproxy.stat.proxy.name",
"haproxy.stat.proxy.mode",
"haproxy.stat.agent.status",
"haproxy.stat.agent.description",
"haproxy.stat.agent.check.description",
"haproxy.stat.source.address",
"http.response.code",
"http.response.phrase",
"kafka.broker.address",
"kafka.topic.name",
"kafka.partition.topic_id",
"kafka.partition.topic_broker_id",
"kafka.broker.mbean",
"kafka.consumer.mbean",
"kafka.consumergroup.broker.address",
"kafka.consumergroup.id",
"kafka.consumergroup.topic",
"kafka.consumergroup.meta",
"kafka.consumergroup.client.id",
"kafka.consumergroup.client.host",
"kafka.consumergroup.client.member_id",
"kafka.partition.topic.name",
"kafka.partition.broker.address",
"kafka.producer.mbean",
"kibana.stats.name",
"kibana.stats.index",
"kibana.stats.host.name",
"kibana.stats.status",
"kibana.status.name",
"kibana.status.status.overall.state",
"kubernetes.apiserver.request.client",
"kubernetes.apiserver.request.resource",
"kubernetes.apiserver.request.subresource",
"kubernetes.apiserver.request.scope",
"kubernetes.apiserver.request.verb",
"kubernetes.apiserver.request.code",
"kubernetes.apiserver.request.content_type",
"kubernetes.apiserver.request.dry_run",
"kubernetes.apiserver.request.kind",
"kubernetes.apiserver.request.component",
"kubernetes.apiserver.request.group",
"kubernetes.apiserver.request.version",
"kubernetes.apiserver.request.handler",
"kubernetes.apiserver.request.method",
"kubernetes.apiserver.request.host",
"kubernetes.controllermanager.handler",
"kubernetes.controllermanager.code",
"kubernetes.controllermanager.method",
"kubernetes.controllermanager.host",
"kubernetes.controllermanager.name",
"kubernetes.controllermanager.zone",
"kubernetes.event.message",
"kubernetes.event.reason",
"kubernetes.event.type",
"kubernetes.event.source.component",
"kubernetes.event.source.host",
"kubernetes.event.metadata.generate_name",
"kubernetes.event.metadata.name",
"kubernetes.event.metadata.namespace",
"kubernetes.event.metadata.resource_version",
"kubernetes.event.metadata.uid",
"kubernetes.event.metadata.self_link",
"kubernetes.event.involved_object.api_version",
"kubernetes.event.involved_object.kind",
"kubernetes.event.involved_object.name",
"kubernetes.event.involved_object.resource_version",
"kubernetes.event.involved_object.uid",
"kubernetes.proxy.handler",
"kubernetes.proxy.code",
"kubernetes.proxy.method",
"kubernetes.proxy.host",
"kubernetes.scheduler.handler",
"kubernetes.scheduler.code",
"kubernetes.scheduler.method",
"kubernetes.scheduler.host",
"kubernetes.scheduler.name",
"kubernetes.scheduler.result",
"kubernetes.scheduler.operation",
"kubernetes.container.id",
"kubernetes.container.status.phase",
"kubernetes.container.status.reason",
"kubernetes.cronjob.name",
"kubernetes.cronjob.schedule",
"kubernetes.cronjob.concurrency",
"kubernetes.daemonset.name",
"kubernetes.node.status.ready",
"kubernetes.persistentvolume.name",
"kubernetes.persistentvolume.phase",
"kubernetes.persistentvolume.storage_class",
"kubernetes.persistentvolumeclaim.name",
"kubernetes.persistentvolumeclaim.volume_name",
"kubernetes.persistentvolumeclaim.phase",
"kubernetes.persistentvolumeclaim.access_mode",
"kubernetes.persistentvolumeclaim.storage_class",
"kubernetes.pod.status.phase",
"kubernetes.pod.status.ready",
"kubernetes.pod.status.scheduled",
"kubernetes.resourcequota.name",
"kubernetes.resourcequota.type",
"kubernetes.resourcequota.resource",
"kubernetes.service.name",
"kubernetes.service.cluster_ip",
"kubernetes.service.external_name",
"kubernetes.service.external_ip",
"kubernetes.service.load_balancer_ip",
"kubernetes.service.type",
"kubernetes.service.ingress_ip",
"kubernetes.service.ingress_hostname",
"kubernetes.storageclass.name",
"kubernetes.storageclass.provisioner",
"kubernetes.storageclass.reclaim_policy",
"kubernetes.storageclass.volume_binding_mode",
"kubernetes.system.container",
"kubernetes.volume.name",
"kvm.name",
"kvm.dommemstat.stat.name",
"kvm.dommemstat.name",
"kvm.status.state",
"logstash.node.jvm.version",
"mongodb.collstats.db",
"mongodb.collstats.collection",
"mongodb.collstats.name",
"mongodb.dbstats.db",
"mongodb.metrics.replication.executor.network_interface",
"mongodb.replstatus.set_name",
"mongodb.replstatus.members.primary.host",
"mongodb.replstatus.members.primary.optime",
"mongodb.replstatus.members.secondary.hosts",
"mongodb.replstatus.members.secondary.optimes",
"mongodb.replstatus.members.recovering.hosts",
"mongodb.replstatus.members.unknown.hosts",
"mongodb.replstatus.members.startup2.hosts",
"mongodb.replstatus.members.arbiter.hosts",
"mongodb.replstatus.members.down.hosts",
"mongodb.replstatus.members.rollback.hosts",
"mongodb.replstatus.members.unhealthy.hosts",
"mongodb.status.storage_engine.name",
"munin.plugin.name",
"mysql.galera_status.cluster.status",
"mysql.galera_status.connected",
"mysql.galera_status.evs.evict",
"mysql.galera_status.evs.state",
"mysql.galera_status.local.state",
"mysql.galera_status.ready",
"mysql.performance.events_statements.digest",
"mysql.performance.table_io_waits.object.schema",
"mysql.performance.table_io_waits.object.name",
"mysql.performance.table_io_waits.index.name",
"nats.server.id",
"nginx.stubstatus.hostname",
"php_fpm.pool.name",
"php_fpm.pool.process_manager",
"php_fpm.process.state",
"php_fpm.process.script",
"postgresql.activity.database.name",
"postgresql.activity.user.name",
"postgresql.activity.application_name",
"postgresql.activity.client.address",
"postgresql.activity.client.hostname",
"postgresql.activity.state",
"postgresql.activity.query",
"postgresql.database.name",
"postgresql.statement.query.text",
"rabbitmq.vhost",
"rabbitmq.connection.name",
"rabbitmq.connection.type",
"rabbitmq.connection.host",
"rabbitmq.connection.peer.host",
"rabbitmq.connection.client_provided.name",
"rabbitmq.exchange.name",
"rabbitmq.node.name",
"rabbitmq.node.type",
"rabbitmq.queue.name",
"rabbitmq.queue.state",
"redis.info.memory.max.policy",
"redis.info.memory.allocator",
"redis.info.persistence.rdb.bgsave.last_status",
"redis.info.persistence.aof.bgrewrite.last_status",
"redis.info.persistence.aof.write.last_status",
"redis.info.replication.role",
"redis.info.replication.master.link_status",
"redis.info.server.git_sha1",
"redis.info.server.git_dirty",
"redis.info.server.build_id",
"redis.info.server.mode",
"redis.info.server.arch_bits",
"redis.info.server.multiplexing_api",
"redis.info.server.gcc_version",
"redis.info.server.run_id",
"redis.info.server.config_file",
"redis.key.name",
"redis.key.id",
"redis.key.type",
"redis.keyspace.id",
"system.diskio.name",
"system.diskio.serial_number",
"system.filesystem.device_name",
"system.filesystem.type",
"system.filesystem.mount_point",
"system.network.name",
"system.process.state",
"system.process.cmdline",
"system.process.cgroup.id",
"system.process.cgroup.path",
"system.process.cgroup.cpu.id",
"system.process.cgroup.cpu.path",
"system.process.cgroup.cpuacct.id",
"system.process.cgroup.cpuacct.path",
"system.process.cgroup.memory.id",
"system.process.cgroup.memory.path",
"system.process.cgroup.blkio.id",
"system.process.cgroup.blkio.path",
"system.raid.name",
"system.raid.status",
"system.raid.level",
"system.raid.sync_action",
"system.service.name",
"system.service.load_state",
"system.service.state",
"system.service.sub_state",
"system.service.exec_code",
"system.socket.remote.host",
"system.socket.remote.etld_plus_one",
"system.socket.remote.host_error",
"system.socket.process.cmdline",
"system.users.id",
"system.users.seat",
"system.users.path",
"system.users.type",
"system.users.service",
"system.users.state",
"system.users.scope",
"system.users.remote_host",
"uwsgi.status.worker.status",
"uwsgi.status.worker.rss",
"vsphere.datastore.name",
"vsphere.datastore.fstype",
"vsphere.host.name",
"vsphere.host.network_names",
"vsphere.virtualmachine.host.id",
"vsphere.virtualmachine.host.hostname",
"vsphere.virtualmachine.name",
"vsphere.virtualmachine.os",
"vsphere.virtualmachine.network_names",
"windows.perfmon.instance",
"windows.service.id",
"windows.service.name",
"windows.service.display_name",
"windows.service.start_type",
"windows.service.start_name",
"windows.service.path_name",
"windows.service.state",
"windows.service.exit_code",
"zookeeper.mntr.hostname",
"zookeeper.mntr.server_state",
"zookeeper.server.mode",
"zookeeper.server.zxid",
"fields.*"
]
},
"creation_date" : "1616965202987",
"number_of_replicas" : "1",
"uuid" : "w0GJFckaTIWXDkIOcx1KHA",
"version" : {
"created" : "7100299"
}
}
}
}
}