elasticsearch按照日期定時批量刪除索引

使用elkstack做爲日誌分析工具，採集nginx訪問日誌，項目log日誌，心跳檢測日誌，服務器度量日誌等，天天產生大量索引(Index)，佔用磁盤空間。對於過時數據須要進行刪除來釋放磁盤空間。

使用官網_delete_by_query進行刪除

官網文檔--Delete By Query API

curl -u 用戶名:密碼  -H'Content-Type:application/json' -d'{ "query": { "range": { "@timestamp": { "lt": "now-7d", "format": "epoch_millis" } } } } ' -XPOST "http://127.0.0.1:9200/*-*/_delete_by_query?pretty"複製代碼

解釋

-u是格式爲userName:password，使用Basic Auth進行登陸。若是elasticsearch沒有使用相似x-pack進行安全登陸，則不須要加-u參數

-H是指定文檔類型是json格式

-XPOST是指定用POST方式請求

-d是指定body內容

{
    "query": {
        "range": { //範圍
            "@timestamp": {//時間字段
                "lt": "now-7d",//lt是小於(<)，lte是小於等於(<=),gt是大於(>),gte是大於等於(>=),now-7d是當前時間減7天
                "format": "epoch_millis"
            }
        }
    }
}複製代碼

定時刪除

$ crontab -e

* 0 * * * /usr/bin/curl -u username:password  -H'Content-Type:application/json' -d'{"query":{"range":{"@timestamp":{"lt":"now-7d","format":"epoch_millis"}}}}' -XPOST "http://127.0.0.1:9200/*-*/_delete_by_query?pretty" > /tmp/elk_clean.txt複製代碼

天天0點刪除超過7天的無效索引

優勢：

• 不依賴第三方插件或者代碼

• 簡單易理解

• 不須要指定索引名稱可用*通配符刪除

缺點：

• 效率低

使用sh腳本刪除

在stackoverflow看到一個帖子 Removing old indices in elasticsearch#answer-39746705

#!/bin/bash
searchIndex=logstash-monitor
elastic_url=logging.core.k94.kvk.nl
elastic_port=9200

date2stamp () {
    date --utc --date "$1" +%s
}

dateDiff (){
    case $1 in
        -s)   sec=1;      shift;;
        -m)   sec=60;     shift;;
        -h)   sec=3600;   shift;;
        -d)   sec=86400;  shift;;
        *)    sec=86400;;
    esac
    dte1=$(date2stamp $1)
    dte2=$(date2stamp $2)
    diffSec=$((dte2-dte1))
    if ((diffSec < 0)); then abs=-1; else abs=1; fi
    echo $((diffSec/sec*abs))
}

for index in $(curl -s "${elastic_url}:${elastic_port}/_cat/indices?v" |     grep -E " ${searchIndex}-20[0-9][0-9]\.[0-1][0-9]\.[0-3][0-9]" | awk '{ print $3 }'); do
  date=$(echo ${index: -10} | sed 's/\./-/g')
  cond=$(date +%Y-%m-%d)
  diff=$(dateDiff -d $date $cond)
  echo -n "${index} (${diff})"
  if [ $diff -gt 1 ]; then
    echo " / DELETE"
    # curl -XDELETE "${elastic_url}:${elastic_port}/${index}?pretty"
  else
    echo ""
  fi
done複製代碼

使用了 _cat/indicesapi。

使用 curator

支持windowszip,msi,和linuxapt,yum

Curator Reference github-curator

安裝

安裝

配置

參考 stackoverflow.com/questions/3…

1.config文件

---
# Remember, leave a key empty if there is no value. None will be a string,
# not a Python "NoneType"
client:
 hosts:
    * 127.0.0.1
 port: 9200
 url_prefix:
 use_ssl: False
 certificate:
 client_cert:
 client_key:
 ssl_no_validate: False
 http_auth: username:password
 timeout:
 master_only: True

logging:
 loglevel: INFO
 logfile:
 logformat: default
  #blacklist: ['elasticsearch', 'urllib3']複製代碼

2.action文件

---
actions:
  1:
 action: delete_indices
 description: >-
      Delete indices older than 7 days (based on index name), for logstash-
      prefixed indices. Ignore the error if the filter does not result in an
      actionable list of indices (ignore_empty_list) and exit cleanly.
 options:
 ignore_empty_list: True
 timeout_override:
 continue_if_exception: False
 disable_action: False
 filters:
    * filtertype: pattern
 kind: prefix
 value: logstash-
 exclude:
    * filtertype: age
 source: name
 direction: older
 timestring: '%Y.%m.%d'
 unit: days
 unit_count: 7
 exclude:複製代碼

這裏是用index-'%Y.%m.%d'進行匹配，若是是按照索引建立日期來刪除，source: creation_date 參見 www.elastic.co/guide/en/el…

3.運行

curator --config /path/config_file.yml /path/action_file.yml複製代碼

別忘了加定時任務crontab -e

本人原創，轉載請聲明

博客
掘金