curl -XGET '127.0.0.1:9200/messages/message/_search?pretty'返回如下所示的数据。我想知道是否有可能从弹性搜索中自动删除早于10天的数据,最好是实时删除?我添加了我的示例数据,因为在这种情况下可以使用字段date。或者可能有更多推荐的方法?
{
"took" : 22,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 2,
"max_score" : 1.0,
"hits" : [
{
"_index" : "messages",
"_type" : "message",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"message" : "example message1"
}
},
{
"_index" : "messages",
"_type" : "message",
"_id" : "ZODslt0LZ1T6GMrC",
"_score" : 1.0,
"_source" : {
"date" : "2018-05-25T10:06:06Z",
"message" : "example message1"
}
}
]
}
}
答案 0 :(得分:1)
弹性Curator正是您所寻找的。您应该为每天的索引创建一个单独的文件。
例如,如果您的索引具有类似的模式:YOUR_INDEX_NAME-%{+YYYY.MM.dd},那么您应该应用以下配置:
actions:
1:
action: delete_indices
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: YOUR_INDEX_NAME-
exclude:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d' <--- date pattern in your index name
unit: days
unit_count: 10 <--- after how many days delete the index