Opensearch ILM/ISM issue

a.emrekaraman · January 21, 2023, 3:00pm

Hi Team,

I have a question which I never found on guides,google or any websites :).

I installed filebeat and I see ilm is enabled by default. I think that’s why there is a default rollover rule. I think that beucase I see I have different indexes for each day. For example; filebeat-7.12.1-2023.01.06 filebeat-7.12.1-2023.01.07 filebeat-7.12.1-2023.01.08 etc. Even if ILM is enabled by default, I dont see and policy on opensearch dashboard. Probably if I use elastic search , I would see ILM default config.

I want to enable ISM instead of ILM.

These are my questions;
1- ILM is enabled by default in filebeat. How can I see default rule on opensearch dashboard?
2-If I disable ILM on filebeat config, how to confirm it works?
3-or any info or experiences which you have on this topic, I will glad to here.

Thanks in advance

radu.gheorghe · January 23, 2023, 1:41pm

I assume Filebeat tries to enable an ILM policy, but that wouldn’t work in OpenSearch because there’s no ILM in OpenSearch (it’s only in Elasticsearch). So I think you can ignore the ILM stuff from Filebeat and just set up an ISM policy, then start indexing data.

a.emrekaraman · January 23, 2023, 1:51pm

Hi Radu,

Thanks for response. I think so but I see rollover policy for filebeat index. I see I have different indexes for each day. For example; filebeat-7.12.1-2023.01.06 filebeat-7.12.1-2023.01.07 filebeat-7.12.1-2023.01.08 etc.

If ILM is available for opensearch hot it rollover index. There is no ISM config as default.

How and where can I check default rollover rule ?

Thanks

radu.gheorghe · January 23, 2023, 1:52pm

Ah, I think that’s Filebeat’s default of writing events to an index that looks like:

filebeat-VERSION-YYY.MM.DD

Clarification: the above has nothing to do with ILM or ISM, it’s just a naming template.

To use ISM, you’ll need to change the index in Filebeat’s Elasticsearch output to something fixed, like “logs”. On the OpenSearch side, you’ll need a “logs” alias that will be managed by ISM.

a.emrekaraman · January 23, 2023, 1:58pm

Yes you’re. they are looking like filebeat-VERSION-YYY.MM.DD but I just did not understand why there are different index for each day. What cause to create different index for each day.

radu.gheorghe · January 23, 2023, 2:09pm

It’s because of the default setting for “index”: Configure the Elasticsearch output | Filebeat Reference [7.10] | Elastic

a.emrekaraman · January 25, 2023, 6:12am

Hi Radu, I checked the link you shared but I did not understand which setting cause this rollover day by day. can you please share it directly for example can ı change is as two days for rollover time no one day.

Topic		Replies	Views
Question Regarding ISM Policy Compatibility in OpenSearch Version 2.3.0 OpenSearch releases , discuss , index-management	7	318	September 12, 2023
Roll over alias with Filebeat OSS with Open Distro Elasticsearch Index Management	1	733	July 24, 2020
Logstash to send logs to ISM Policy based Index OpenSearch configure	2	110	February 27, 2024
Policy ISM - Rollover OpenSearch troubleshoot , configure , index-management	6	488	April 6, 2023
ISM config help without data stream or daily base index naming OpenSearch	8	243	February 21, 2023

Opensearch ILM/ISM issue

Related Topics