Index aliasing on ES output #1670
Comments
|
Hi @edsiper, I was just wondering if this was likely to make it into the 1.3 release, whenever that may be? |
|
This feature is something that would be very useful for us too. Also, as mentioned in #1381 I was wondering if it could work without any changes. Would it work if I provide an alias name in the fluentbit index configuration field? The alias would point to a pre-created index with ILM linked to it. Or would it cause issues, as the precreated index would not have mappings defined? Thanks! |
This does not work. |
|
Hi again :) I still have a couple of concerns though.
|
Mappings are being deduced by elasticsearch from a document that is indexed as first for each new index. This might cause issues, if the first one produces mapping with a datetime field mapping and other subsequent ones from other sources do not match it and require plain text field mapping.
All works fine here and indices rollover without issues. |
|
Extra points if fluent-bit es output could setup the ILM policy, how filebeat does today. |
|
Setting a write index and alias on an index should not be rocket science. One of the reasons we are switching back to filebeat is exactly the lack of support for ILM through index aliases. |
|
@edsiper is there any news about this issue? We have the same need. We would like to apply an ILM policy to an index created by fluent bit. Thank you |
|
any update on this issue |
The following patch adds 'record accessor' support for the
'logstash_prefix_key' configuration property. This enable to have
custom indices based on nested fields if required, e.g;
{"key1": 1234, "kubernetes": {"labels: {"app": "prod"}}}
You can configure a logstash prefix as follows:
[OUTPUT]
name es
match *
logstash_format on
logstash_prefix_key $kubernetes['labels']['app']
The final index for the record above and the proposed config will generate:
prod-2021.01.24
Signed-off-by: Eduardo Silva <eduardo@treasure-data.com>
|
Elasticsearch output plugin has been updated for |
|
But then still you fluent-bit will create a new index every day with the date in the titel as the alias cannot remove the date |
|
@beer1970 do you think the ideal case will port the same feature for non logstash_format ? |
|
would be nice to still have the logstash_format as format of the event but a option to skip the date on the end |
|
@edsiper At the minimum what is needed to use ILM successfully is basically an ability to specify a single index without trying to recreate it if it's already present. I want to store my logs in: That way the automation scripts can configure a lifecycle policy for that index prior to running fluentbit. This makes ES in charge of maintaining the storage for the index without a need to create maintenance jobs to clean up old indexes etc. A more fancy solution would require fluentbit to configure ILM, like filebeat does here: |
|
Just a comment about what I said above. |
|
On our side (elasticsearch v7.14.0 and fluent-bit v1.8.15) we've configured the ILM to work with fluent-bit in this way:
Maybe the documentation for the elasticsearch output plugin should be updated? The part related to the Regards, |
Hi @alternaivan Can you send me the index template definition? I try with: |
|
Hi @zeusal, Sure, this is the index template definition I'm using. {
"index_patterns": [
"fluent-*"
],
"priority": 1,
"template": {
"settings": {
"number_of_shards": 3,
"number_of_replicas": 1,
"index.lifecycle.name": "fluent-bit",
"index.lifecycle.rollover_alias": "fluent-bit"
}
}
}Hope this helps! |
Thank you for your help. I have had to change that definition since I use opensearch in my case. "index_patterns": [
"cluster-pro-*"
],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": 3,
"number_of_replicas": 1,
"opendistro": {
"index_state_management": {
"policy_id": "cluster-pro-policy",
"rollover_alias": "cluster-pro"
}
}
}
},
}Then I created the index with: "aliases": {
"cluster-pro": {
"is_write_index": true
}
}
}I only have one question, in my policy creation, I should added rollover action? Regards and thank you! |
Yes, correct. Regards! ;) |
|
@alternaivan - after much hassle, I ended up exact same approach, however if I delete the main index (getting written), We get back to the same problem. Have you been able to get around that? Not sure why this issue is closed. |
|
Hi @rats-github01, Sorry for taking time to reply, didn't see thw comment. If by main index you mean fluent-bit-00001, it gets automatically rolled over by elasticsearch, and after the configured period on your ILM gets deleted automatically. I haven't manually removed index. Hope this helps. |
Solution works fine. But what if i have dynamic index naming, for example prod-app01, prod-app02, dev-app01... and whatever i will deploy to k8s cluster. I can't create single template and match all my names. Is there are solutions, regex for example? |
In the following link you can see what elasticsearch allows: A priori as far as I understand it only accepts wildcards (*). You can use: |
Sorry, my question was not clear. I asked about "rollover_alias" |
Firstly, just want say a huge thanks 馃憦 for all the effort you guys put into fbit and for producing what we consider an essential component of our tech stack!
Is your feature request related to a problem? Please describe.
We use ES primarily for centralised logging of on-prem k8s clusters and we are experiencing frustration, rather than problems trying to manage the over-all size of our ES DB and how to keep it manageable.
Given our primary usage, we don't really need to retain log events longer than a certain period of time and they need to remain 'hot', to use ES phraseology, only for a fairly short period of time. Given this we set
Logstash_Formatto on and this effectively gives us daily rolling of indices.However, this leaves us having to manage the ever growing list of daily created indices which isn't ideal. We are actually doing this manually, yes, we could use curator and may end up having to do this but a 'better' solution is to use the in-built ILM (see below).
Describe the solution you'd like
In newer versions of ES (6.7+) there is the index lifecycle management (ILM), which provides a way to create a policy that will allow us to rotate log indices using more granular timeframes than daily, something that is not essential but still very useful. Moore importantly, it allows us to specify a maximum retention time for indices meaning they are automatically deleted after a specified period of time. This is now the recommended way to manage index lifecycles.
The use of the ILM feature requires that indices are created with an alias such that the underlying index can be rolled over and anything writing to the alias can carry on as normal. It is for this reason that I'd like to request the addition of an aliasing feature to the ES output plugin that can be used in conjunction with the
Indexattribute.Thanks, Andy.
P.S. Thought it worth adding that this feature is available when using filebeats.
The text was updated successfully, but these errors were encountered: