Using Curator to prune Elasticsearch Indices

If you are using Elasticsearch as a database to store data from various sources, you are going to need to a way to prune the indices before they end up filling your drive. Using Curator is one way to go about this task.

The following instructions are based on a Ubuntu LTS 16.04 install with Elasticsearch 5.6 locally installed on the same machine.

  • First, Add the source to your apt repository list –

  • Update your package listing and install the curator package

The Curator application uses the popular YAML format as a basis for it’s configuration files. We will need to create two files at a minimum to get going.

  • First, create a blank file for the base configuration –

Paste in the following basic configuration (Assuming your Elasticsearch sever is on the same machine as curator)

Then, create another “action file” that holds the action we want to run. Here, I’m using a slightly modified action from an example that will delete any indice older than 30 days that starts with “netflow-“. Modify this file to suit your needs. We will call it “delete_indices.yml”

Contents of file

We can then run the configuration file with the –dry-run parameter to simulate the actions taken. Remove –dry-run when you are ready to run it for real!

To run this on a schedule, simply add it to crontab. This will run it daily at midnight. Open your crontab with

Add these lines –

Share this content:

Leave a Reply

Your email address will not be published. Required fields are marked *