So, I have some servers on my clients which run Elasticsearch and the indexes are stored on a separated disk partition and that is mounted on /var/lib/elasticsearch and that fills up pretty quickly. ELK can clear up some indexes but I decided to see if I can write a bash script to do that. So I did... It's not the most elegant solution or... smartest but hey, it's honest work 😊
This is the script:
#!/bin/bash
set -euf -o pipefail
# checking if ELK path is a symlink
if [ ! -L "/var/lib/elasticsearch" ]; then
echo "Path '/var/lib/elasticsearch' exists but is not a symlink. Exiting now!"
exit 1
else
ELK_SIMLINK="/var/lib/elasticsearch"
DF_ELK_DISK=$(df --output=pcent $ELK_SIMLINK | awk 'FNR == 2 {print $1}' | tr -d %)
fi
echo "Now checking disk usage on ELK partition. If du is grater than 85% this loop will clean old ELK index."
if [ "$DF_ELK_DISK" -ge 85 ]; then
while [ "$DF_ELK_DISK" -ge 85 ]
do
echo "Disk usage is now: `df --output=pcent $ELK_SIMLINK | awk 'FNR == 2 {print $1}'`"
curl --silent -XGET "localhost:9200/_cat/indices?h=creation.date.string,index" | sed '/filebeat/!d' | sort -n > /tmp/index-data.txt
### Getting the oldest index from list ###
OLDEST_DATE_INDEX=`cat /tmp/index-data.txt | awk '{if(min==""){min=max=$1}; if($1>max) {max=$1}; if($1<min) {min=$1}; total+=$1; count+=1} END {print min}'`
OLDEST_INDEX_NAME=`grep -ir $OLDEST_DATE_INDEX /tmp/index-data.txt | awk {'print $2'}`
echo "Our oldest index is: $OLDEST_INDEX_NAME"
echo "Deleting oldest index: $OLDEST_INDEX_NAME"
curl --silent -XDELETE "localhost:9200/$OLDEST_INDEX_NAME"
# adding sleep of 10 seconds after each index delete
sleep 10
done
else
echo "Disk usage is only: `df --output=pcent $ELK_SIMLINK | tail -c 4`"
fi
# end of script and all done
echo "All done..."
exit 0
This script runs when that partition get full and clears the oldest index until the partition get below 85%
I know some of you are some smart cookies and you can do this much more cleaner, if so please tweet me so I can also rise from my darkness 😊