{
"_index": "user:1494813192000",
"_type": "fruits",
"_id": "pbyac5r88-yghe-v1ez-cpgb-sqdjipr54alzgj/tp4oqalbd-bo2v-ikj1-atfq-wezcoeeuf6wiqpt/apple",
"_score": 1,
"_routing": "pbyac5r88-yghe-v1ez-cpgb-sqdjipr54alzgj",
"_source": {
"numCal": 442,
"eventTime": 1497315192000,
"fruitName": "apple"
}
This is how the index in my elasticsearch looks like. The eventTime is the current time in ms based on UTC. I would want to use that field to delete my indices using the curator.
This is how my ACTION_FILE.YML looks like
actions:
1:
action: delete_indices
description: >-
Delete indices older than 45 days (based on index name), for logstash-
prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly.
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: age
source: field_stats
field: 'eventTime'
direction: older
unit: days
unit_count: 30
exclude:
Does curator support deleting based on fields that aren't in data format?
I originally answered this question here, but include it here as well.
Date and time comparisons work in Curator based on epoch time. As Elasticsearch stores date entries internally as epoch values, this is why it is usually required to use a field that is stored as a date stamp when using the field_stats for comparisons.
However, if the field epoch time, which is properly mapped as a long in Elasticsearch, and stores either an epoch, or epoch plus milliseconds (but not decimal), it should work just fine for use with field_stats.
For reference, the code that demonstrates this principle is here.