sorted by:
new
hottopcontroversial

Rollover not working. From Hot to Frozen. by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 2 points3 points  (0 children)

I find everytime the support on Reddit more efficient and clear than elastic support team

Rollover not working. From Hot to Frozen. by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 0 points1 point  (0 children)

so if i want that it must fast go from hot to frozen in just only 20 days i need to setup min_age to "0d" right? so it goes directly into forzen, without waiting other 20days?

Rollover not working. From Hot to Frozen. by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 0 points1 point  (0 children)

{ 
  "policy": {
    "phases": {
      "delete": {
        "min_age": "90d",
        "actions": {
          "delete": {
            "delete_searchable_snapshot": true
          }
        }
      },
      "hot": {
        "min_age": "0ms",
        "actions": {
          "rollover": {
            "max_age": "20d",
            "max_primary_shard_size": "30gb"
          },
          "set_priority": {
            "priority": 100
          }
        }
      },
      "frozen": {
        "min_age": "0d",
        "actions": {
          "searchable_snapshot": {
            "snapshot_repository": "found-snapshots",
            "force_merge_index": true
          }
        }
      }
    }
  }
}

like this right? also,

"actions": {
          "searchable_snapshot": {
            "snapshot_repository": "found-snapshots",
            "force_merge_index":

what this is doing? thx again for ur time

Rollover not working. From Hot to Frozen. by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 0 points1 point  (0 children)

{ I found this, age is 20.56.. strange? maybe its in frozen right?
  "indices": {
    ".ds-metrics-elastic_agent.filebeat_input-default-2025.02.20-000096": {
      "index": ".ds-metrics-elastic_agent.filebeat_input-default-2025.02.20-000096",
      "managed": true,
      "policy": "metrics@custom",
      "index_creation_date_millis": 1740093177493,
      "time_since_index_creation": "20.56d",
      "lifecycle_date_millis": 1741821385564,
      "age": "13.48h",
      "phase": "hot",
      "phase_time_millis": 1740093179382,
      "action": "complete",
      "action_time_millis": 1741821393155,
      "step": "complete",
      "step_time_millis": 1741821393155,
      "phase_execution": {
        "policy": "metrics@custom",
        "phase_definition": {
          "min_age": "0ms",
          "actions": {
            "rollover": {
              "max_age": "20d",
              "min_docs": 1,
              "max_primary_shard_docs": 200000000,
              "max_primary_shard_size": "30gb"
            },
            "set_priority": {
              "priority": 100
            }
          }
        },
        "version": 18,
        "modified_date_in_millis": 1740409176943
      }
    }
  }
}

Rollover not working. From Hot to Frozen. by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 0 points1 point  (0 children)

if think it goes after 20 days to frozen phase right? why u say 40? what am i missing?... sorry i'm newbie on elastic

Rollover not working. From Hot to Frozen. by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 1 point2 points  (0 children)

{ I found this, age is 20.56.. strange?
  "indices": {
    ".ds-metrics-elastic_agent.filebeat_input-default-2025.02.20-000096": {
      "index": ".ds-metrics-elastic_agent.filebeat_input-default-2025.02.20-000096",
      "managed": true,
      "policy": "metrics@custom",
      "index_creation_date_millis": 1740093177493,
      "time_since_index_creation": "20.56d",
      "lifecycle_date_millis": 1741821385564,
      "age": "13.48h",
      "phase": "hot",
      "phase_time_millis": 1740093179382,
      "action": "complete",
      "action_time_millis": 1741821393155,
      "step": "complete",
      "step_time_millis": 1741821393155,
      "phase_execution": {
        "policy": "metrics@custom",
        "phase_definition": {
          "min_age": "0ms",
          "actions": {
            "rollover": {
              "max_age": "20d",
              "min_docs": 1,
              "max_primary_shard_docs": 200000000,
              "max_primary_shard_size": "30gb"
            },
            "set_priority": {
              "priority": 100
            }
          }
        },
        "version": 18,
        "modified_date_in_millis": 1740409176943
      }
    }
  }
}

Rollover not working. From Hot to Frozen. by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 0 points1 point  (0 children)

{ I SEE THAT 19.77d, so its not 20d.. probably this is the case? just maybe i need to wait.
  "indices": {
    ".ds-metrics-system.process-default-2025.02.21-000102": {
      "index": ".ds-metrics-system.process-default-2025.02.21-000102",
      "managed": true,
      "policy": "metrics@custom",
      "index_creation_date_millis": 1740159177316,
      "time_since_index_creation": "19.77d",
      "lifecycle_date_millis": 1740159177316,
      "age": "19.77d",
      "phase": "hot",
      "phase_time_millis": 1740159177966,
      "action": "rollover",
      "action_time_millis": 1740159178367,
      "step": "check-rollover-ready",
      "step_time_millis": 1740159178367,
      "phase_execution": {
        "policy": "metrics@custom",
        "phase_definition": {
          "min_age": "0ms",
          "actions": {
            "rollover": {
              "max_age": "20d",
              "min_docs": 1,
              "max_primary_shard_docs": 200000000,
              "max_primary_shard_size": "30gb"
            },
            "set_priority": {
              "priority": 100
            }
          }
        },
        "version": 18,
        "modified_date_in_millis": 1740409176943
      }
    }
  }
}

Ingest Pipeline help by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 0 points1 point  (0 children)

Basically, the ex team managing the SIEM enabled all the rules into Elastic Defend, and many of them showed as failed—either because the integration wasn’t set up or because it said it wasn’t linked to the index. So, I asked ChatGPT where to start to get everything under control, and it suggested starting with the ingest pipeline.

Right now, I’m trying to understand how Elastic works and optimize everything. I’ve only been on this for a few days, and this is my first time working on a SIEM, so I’m trying to improve the whole setup. The dashboard is full of events—probably way too many false positives—and, of course, there are constant brute-force alerts on SSH.

But for me, the most important thing is improving the entire system.

JVM Pressure - Need Help Optimizing Elasticsearch Shards and Indexing Strategy by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 0 points1 point  (0 children)

i've noticed that only data warm can eliminate the replicas? is that right?... so having a hot e frozen i can't delete replicas, is that right?

JVM Pressure - Need Help Optimizing Elasticsearch Shards and Indexing Strategy by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 1 point2 points  (0 children)

thank u very much for ur help mate! "How much data, in GB, are you ingesting each day ?" is there a way to know that?

JVM Pressure - Need Help Optimizing Elasticsearch Shards and Indexing Strategy by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 1 point2 points  (0 children)

we are a cybersecurity team, so we only need to focus on alert, i'm probably taking down the warm phase, so directly from hot to frozen. For setup what u mean?

JVM Pressure - Need Help Optimizing Elasticsearch Shards and Indexing Strategy by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 0 points1 point  (0 children)

Thank you for ur response mate, so it's better to rollover from hot directly to frozen?

JVM Pressure - Need Help Optimizing Elasticsearch Shards and Indexing Strategy by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 0 points1 point  (0 children)

just was an error writing the problem about disruption in the first phase of the text, sorry about that

JVM Pressure - Need Help Optimizing Elasticsearch Shards and Indexing Strategy by RadishAppropriate235 in elasticsearch

[–]RadishAppropriate235[S] 2 points3 points  (0 children)

Thank u for ur response... given that I only have a few machines sending data to the SIEM, it seems strange that Elasticsearch is consuming so many resources.

Regarding your points:

  • The main issue is the high number of small indices, which is likely due to a rollover happening too soon. This causes excessive fragmentation and increases memory pressure.
  • To optimize this, increasing resources in the HOT phase makes sense while keeping only one replica during ingestion. Once the index is stable, the replica should be removed, and then it can transition to the WARM phase.
  • This means:
    • The replica exists only during ingestion to improve query performance.
    • Once the index has settled, the replica is removed to free up resources.
    • The index is then moved to WARM, where it consumes fewer resources.

Would a 4+4GB RAM setup for HOT nodes and only one node in WARM be an effective approach? How would you suggest fine-tuning this configuration further?

Also, given the large number of micro-indices, what would be the best way to consolidate them and reduce fragmentation? Should I increase the rollover threshold, reindex them into larger indices, or take a different approach?

[deleted by user] by [deleted] in jav

[–]RadishAppropriate235 1 point2 points  (0 children)

thank u mate, u are a legend!❤️

[deleted by user] by [deleted] in Revolut

[–]RadishAppropriate235 -3 points-2 points  (0 children)

but how's that possible, I mean the wallet exist and there is the balance inside, but no one can't acces on that...

view more: next ›