ILM new index does not obey my policy limit GB - elasticsearch

I have a policy using the index pattern logstash-* and with alias logstash-rollover. My first index is logstash-001 and it was created manually by me and attached to rollover alias.
After 50GB (my policy set max 50GB), another index is created: logstash-002, and it is ok for me. The problem is my second index get about 200GB and more, seems like policy is not applied to other indexes different from -001.
Index -001 : (check policy)
Index -002: (no policy here)

The ILM policy name does not work with a pattern it is just the name of the policy.
You need to create an index template, which hold the ILM policy. This index template does use an index pattern, which should match your indices.
This tutorial explain it nicely.
Create a template
PUT _index_template/automated_ILM
"index_patterns": ["logstash-*"],
"template": {
"settings": {
"": "<Your ILM policy name>"
"index.lifecycle.rollover_alias": "logstash-rollover"
Apply the ILM policy manually to the index logstash-002
PUT logstash-002/_settings
"index": {
"lifecycle": {
"name": "<Your ILM policy name>"
The do the rollover manually
POST logstash-rollover/_rollover
And you should be all set.


Need to rename index in 6.2.4 elasticsearch

I have used _shrink api and shrinked my index from 5shards to 1 shard but with a different name and have deleted the old index. Now I want to rename the newly created index to the same old name, used _reindex api but that is creating the index with same old 5shards, but want to have it on single primary shard. Since am in 6.2.4 can't use _clone api.
Please advise. TIA
Add the amount of shards at index creation time:
PUT /my-index-000001
"settings": {
"index": {
"number_of_shards": 1
You can also add the mapping and other settings in this request.
See also:

How to point elasticsearch alias to current index and removing the alias from old index from index template?

In our application , we are creating the elasticsearch index daily basis and index pattern is index-. (eg. index-17-09-2019). But our application is accessing the index through an alias which is pointing the current index. Now attaching and removing of the alias with the index is done through a cron job. Is it possible to do it through through index template as we are avoiding the cron job.
We can attach alias with the index through index template but I am not sure whether we can detach the alias with the old index and add it to the new index through index template.
That can be done with built-in index lifecycle management (ILM). Your application will be sending data to index alias and ILM will take care of the rest.
Here is the description of how it can be done, but basically you need to:
1. Create ILM job
PUT /_ilm/policy/my_policy
"policy": {
"phases": {
"hot": {
"actions": {
"rollover": {
"max_age": "1d"
2. Create an index template with ILM policy attached
PUT _template/my_template
"index_patterns": ["test-*"],
"settings": {
"number_of_shards": 1,
"number_of_replicas": 1,
"": "my_policy",
"index.lifecycle.rollover_alias": "test-alias"
3. Start the process by creating init index
PUT test-000001
"aliases": {
"is_write_index": true
That will help you with handling creation of new index every day without external CRON job. You can also extend your policy, later on to e.g. delete old indices after 7 days after rollover.
Hope that helps.

Elasticsearch - Reindex whole cluster using pattern for new index name

I have an index with thousands of indices, with 5 shards per index.
I would like to reindex them with only 1 shard per index.
Is there a build in solution in Elastic to reindex for instance all the indices by adding "-reindexed" to each index ?
Looks like you want to dynamically change the index names while reindexing.
Let's understand this with an example:
1) Add some indices:
POST sample/_doc/1
"test" : "sample"
POST sample1/_doc/1
"test" : "sample"
POST sample2/_doc/1
"test" : "sample"
2) Use Reindex API to dynamically change the index names while reindexing multiple indices:
POST _reindex
"source": {
"index": "sample*"
"dest": {
"index": ""
"script": {
"inline": "ctx._index = ctx._index + '-reindexed'"
The above request will reindex all the indices starting with sample and add -reindexed in their indexNames. So that means sample, sample1 and sample2 will be reindexed as sample-reindexed, sample1-reindexed and sample2-reindexed all with this one request.
In order to set up the destination indices with one shard you need to
create those indices before reindexing.
Hope that helps.
You could do a simple reindex but I'd also recommend you take a look at the Shrink Index API:
The documentation above links to v7.0, but this has been around for many iterations.
In your example, you would do something similar to the following:
First, reallocate copies of all primary or replica shards to a single node and prevent any future write-access while the shrink operations are being performed.
PUT /my_source_index/_settings
"settings": {
"index.routing.allocation.require._name": "shrink_node_name",
"index.blocks.write": true
Initiate the shrink operation, clear the index settings set in the previous command, and update your primary and replica settings on the target index:
POST my_source_index/_shrink/my_target_index-reindexed
"settings": {
"index.routing.allocation.require._name": null,
"index.blocks.write": null,
"index.number_of_replicas": 1,
"index.number_of_shards": 1,
"index.codec": "best_compression"
Note the above is also allocating a replica shard - if you don't want this, ensure you set this to 0.
You would want to set up a script of some sort to iterate through the list of source indices one by one.

ElasticSearch - what is the difference between an index template and an index pattern

I have read an explanation to my question here:
However, I still don't understand the difference. When defining an index PATTERN, does it not affect index creation at all? Also, what happens if I create an index but it doesn't have a corresponding index pattern? How can I see the mapping used for an index pattern so I can know how to use the Mapping API to update it?
And on a side note, the docs say you manage the index patterns by clicking the "Settings" and then "Indices" tab. I'm looking at Kibana and I don't see any settings tab. I can view the index patterns through the management tab, but I don't see any settings tab there
An index template is an ES feature for triggering the creation of new indexes whenever a name pattern is matched. For instance, let's say we create the following index template:
PUT _template/template_1
"index_patterns": ["foo*"],
"settings": {
"number_of_shards": 1
"mappings": {
As you can see, as soon as we want to index a document inside an index named (e.g.) foo-44 and that index doesn't exist, then that template (settings + mappings) will be used by ES in order to create the foo-44 index automatically.
You can update an index template at any time by simply PUTting a new settings/mappings definition like above.
An index pattern (not to be confounded with the index-patterns property you saw above, those are two totally different things), is a Kibana feature for telling Kibana what makes up an index (all the fields, their types, etc). Nothing can happen in Kibana without creating index patterns, which you can do in Management > Index Patterns.
Creating an index in ES will not create any index pattern in Kibana. Similarly, creating an index pattern in Kibana will not create any index in ES.
The reason why Kibana needs an index pattern is because it needs to store different kind of information as it available in an index mapping. For instance, let's say you create an index with the following mapping:
PUT my_index
"mappings": {
"doc": {
"properties": {
"timestamp": {
"type": "date"
"name": {
"type": "text"
Then the corresponding index pattern that you will create in Kibana will have the following content:
GET .kibana/doc/index-pattern:16a98050-a53f-11e8-82ab-af0d48c6ddd8
"type": "index-pattern",
"updated_at": "2018-08-21T12:38:22.509Z",
"index-pattern": {
"title": "my_index*",
"timeFieldName": "timestamp",
"fields": """[{"name":"_id","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false},{"name":"_index","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false},{"name":"_score","type":"number","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false},{"name":"_source","type":"_source","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false},{"name":"_type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false},{"name":"name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false},{"name":"timestamp","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}]"""
As you can see, Kibana also stores the timestamp field, the name of the index pattern (which can span several indexes). Also it stores various properties for each field you have defined, for instance, for the name field, the index-pattern contains the following information that Kibana needs to know:
"name": "name",
"type": "string",
"count": 0,
"scripted": false,
"searchable": true,
"aggregatable": false,
"readFromDocValues": false

Elasticsearch reindex does the old data stay in destination

I have a question about the Elasticsearch reindex API. After I initiate a reindex, do the existing documents in the destination index get deleted or do they stay and only the new ones get added?
The reindex operation will by default override all documents in the destination index that already exist and have the same id.
If you want to prevent that you can use the op_type: create setting in order to only add missing documents in the destination index.
"conflicts": "proceed",
"source": {
"index": "my_old_index"
"dest": {
"index": "my_new_index",
"op_type": "create" <--- add this
