脚本形式

 

#!/bin/bash

#只保留30天内的日志索引（删除30天前一天的日志）
retain_time=$(date -d "30 days ago" +%Y.%m.%d)
echo ${retain_time}
es_api="http://172.21.91.64:9200/*-$retain_time"
echo ${es_api}

#删除30天前一天的索引,没有密码方
curl -XDELETE ${es_api}
#删除30天前一天的索引（带密码）
#curl --cacert certs/ca/ca.crt -u elastic:OMcds4eJW3d9VQDDm0Ul -XDELETE ${es_api}

 

控制台方式

PUT _ilm/policy/auditbeat
{
  "policy" : {
      "phases" : {
        "hot" : {
          "min_age" : "0ms",
          "actions" : {
            "rollover" : {
              "max_size" : "50gb",
              "max_age" : "30d"
            }
          }
        },
        "delete": {
            "min_age": "30d",
            "actions": {
              "delete": {}              
            }
        }
      }
    }
}