Elasticsearch index configuration

To setup the PoV elasticsearch index we apply an Index Lifecycle Management (ILM) policy with rollover and automated deletion, gaining several benefit:
  1. Automatic data growth management
    • With rollover (max_age: 1d or max_size: 50gb), you don’t need to manually monitor index size or age.
    • As soon as an index reaches the threshold, Elasticsearch creates a new one (poc_traffic-000002, etc.) and automatically updates the alias poc_traffic.
  2. Better query and update performance
    • Oversized indices slow down searches and updates.
    • By splitting them regularly, shards remain smaller, keeping queries, aggregations, and writes efficient.
  3. Automatic cleanup of old data
    • The delete phase (min_age: 34d) removes indices older than 34 days.
    • No need for external jobs (cron, scripts) to enforce data retention → lower risk of wasting disk space.
  4. Resource usage optimization
    • number_of_shards: 1 and number_of_replicas: 0 reduce overhead when high availability is not required.
    • index.translog.flush_threshold_size: 512mb and refresh_interval: 30s optimize ingestion performance compared to immediate search.
    • Prevents the cluster from being overloaded with either too many small shards or oversized ones.
  5. Easier management with index templates
    • With an index template (poc_traffic_template), each new rollover index automatically inherits the same settings.
    • No need to reapply configurations like refresh_interval or max_result_window manually.
  6. Elasticity and scalability
    • Ideal for time-series data (like logs or traffic data) that continuously grows.
    • The combination of alias + rollover + ILM is the recommended Elastic pattern for scalable data management.
curl -XPUT "http://localhost:9200/_ilm/policy/poc_traffic_policy" -H "kbn-xsrf: reporting" -H "Content-Type: application/json" -d'
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_age": "1d",
            "max_size": "50gb"
          }
        }
      },
      "delete": {
        "min_age": "34d",
        "actions": {
          "delete": {}
        }
      }
    }
  }
}'

curl -XPUT "http://localhost:9200/poc_traffic-000001" -H "kbn-xsrf: reporting" -H "Content-Type: application/json" -d'
{
  "aliases": {
    "poc_traffic": {
      "is_write_index": true
    }
  },
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 0,
    "refresh_interval": "30s",
    "index.lifecycle.name": "poc_traffic_policy",
    "index.lifecycle.rollover_alias": "poc_traffic",
    "index.translog.flush_threshold_size": "512mb",
    "max_result_window": 100000
  }
}'

curl -XPUT "http://localhost:9200/_index_template/poc_traffic_template" -H "kbn-xsrf: reporting" -H "Content-Type: application/json" -d'
{
  "index_patterns": ["poc_traffic-*"],
  "template": {
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas": 0,
      "refresh_interval": "30s",
      "index.lifecycle.name": "poc_traffic_policy",
      "index.lifecycle.rollover_alias": "poc_traffic",
      "index.translog.flush_threshold_size": "512mb",
      "max_result_window": 100000
    }
  },
  "priority": 500
}'