ELK删除30天以前的索引脚本

脚本形式

 

#!/bin/bash

#查询索引
echo `curl -s -XGET http://172.21.91.64:9200/_cat/indices?v -w '\n'`

#只保留30天内的日志索引(删除30天前一天的日志)
retain_time=$(date -d "30 days ago" +%Y.%m.%d)
echo ${retain_time}
es_api="http://172.21.91.64:9200/*-${retain_time}"
echo ${es_api}

#删除30天前一天的索引(无密码)
#curl -XDELETE ${es_api}
#删除30天前一天的索引(带密码)
curl --user elastic:a4NDeiXSFTwaUVBSBIJV -XDELETE ${es_api} -w '\n'

 

验证:

curl https://172.21.91.64:9200/*-2021.11.16
curl -s -XGET http://172.21.91.64:9200/_cat/indices?v    # 查看已经存储的空间

 

控制台方式

PUT _ilm/policy/auditbeat
{
  "policy" : {
      "phases" : {
        "hot" : {
          "min_age" : "0ms",
          "actions" : {
            "rollover" : {
              "max_size" : "50gb",
              "max_age" : "30d"
            }
          }
        },
        "delete": {
            "min_age": "30d",
            "actions": {
              "delete": {}              
            }
        }
      }
    }
}

 

 

posted @ 2021-12-16 14:58  缺个好听的昵称  阅读(328)  评论(0编辑  收藏  举报