There are many ways on how to delete old indices in ELK. We will look at some of them.
The first, most insecure and most easy way is to remove all indices. It’s done with a simple command:
curl -XDELETE 'localhost:9200/_all'
*That will delete all your indices, be careful
You can also manually remove specific indices with the commands bellow.
1. List all your existing indices
curl -XGET http://localhost:9200/_cat/indices?
2. Find index you want to remove and type next command
curl -XDELETE 'localhost:9200/index_name'
Next we will configure ELK to automatically remove old indices
1. Create a policy that deletes indices after one month
curl -X PUT "http://localhost:9200/_ilm/policy/cleanup_policy?pretty" \
-H 'Content-Type: application/json' \
-d '{
"policy": {
"phases": {
"hot": {
"actions": {}
},
"delete": {
"min_age": "30d",
"actions": { "delete": {} }
}
}
}
}'2. Apply this policy to all existing functionbeat and logstash indices
curl -X PUT "http://localhost:9200/logstash-*/_settings?pretty" \
-H 'Content-Type: application/json' \
-d '{ "lifecycle.name": "cleanup_policy" }'
curl -X PUT "http://localhost:9200/functionbeat-*/_settings?pretty" \
-H 'Content-Type: application/json' \
-d '{ "lifecycle.name": "cleanup_policy" }'