Creating Rollover of an Index

Edit online
Rollover is essential for managing constantly growing indexes, such as analytics, log, and audit_auditlogs, by splitting them and transitioning older segments into a read-only state. This procedure outlines how to perform rollover actions based on conditions or thresholds.
Index rollover
You can perform rollover for the following indexes:
  • gateway_tenant_assets
  • gateway_tenant_analytics
  • gateway_tenant_audit_auditlogs

To create rollover of an index

  1. Ensure your Elasticsearch cluster is up and running.
  2. Select an index to rollover. For example, gateway_tenant_analytics.
  3. Create the rollover of the index using the API: 
    POST /gateway_tenant_index/_rollover/target-index}
{
"conditions": {
rollover conditions
}
}

    In the API:

    • Replace tenant with the tenant name.
    • Replace index with an index name. For example: analytics, log, and audit_auditlogs.
    • Replace target-index with the target index name where the rollover results are stored.
    • Replace rollover conditions with conditions based on your requirements.
    A sample command to rollover analytics index for default tenant is as follows:
    curl -si -X POST http://es-host:es-port/gateway_default_analytics/_rollover
    A sample command to rollover analytics index for default tenant with conditions is as follows:
    curl -si -X POST -H "content-type:application/json" -d '{"conditions": {"max_docs": 20000}}' http://es-host:es-port/gateway_default_analytics/_rollover/gateway_default_analytics_20240528
    In this example, the Elasticsearch cluster is assumed to be running on es-host with port es-port. The condition "max_docs": 20000 indicates that the rollover must occur when the index reaches 20,000 documents.

    You can simulate rollover conditions without executing the rollover using the dry_run query parameter.

    A sample command to simulate the rollover conditions using the dry_run query parameter is as follows:
    curl -si -X POST -H "content-type:application/json" -d '{"conditions": {"max_size": "20m"}}' http://es-host:es-port/gateway_default_analytics/_rollover/gateway_default_analytics_efgh?dry_run
    In this example, Elasticsearch checks if the analytics index has reached a maximum size of 20MB.
    A sample response is as follows:
    {
  "acknowledged": false,
  "shards_acknowledged": false,
  "old_index": "gateway_default_analytics_abcd",
  "new_index": "gateway_default_analytics_efgh",
  "rolled_over": false,
  "dry_run": true,
  "conditions": {
    "[max_size: 20mb]": false
  }
}
  4. Optional. Automated rollover
    Implement automated policies using Index Lifecycle Management (ILM) to manage rollover phases (hot, warm, delete) for constantly growing indexes. For more information about ILM configuration, see Elasticsearch documentation.