Search code examples
templateselasticsearchlogstashsharding

logstash template not honored for shard number increase

I've an logstash template where I asked for a 3 shards index.

It is well loaded I can retrieve it with the _template api but it seems not honored when I list the shards on the cluster.

I still have only 1 primary shard and 1 replica shard. I tried many things (order 0, order 2, deleting the existing index etc..). No way to get 3 shards for this index.

I have another template on the index "logstash-*" with an order 0 which seems to be default. (mine is named "logstash-syslog-%{+YYYY.MM.dd}" with an order 2)

Could you help ? Maybe I miss something from the documentation

the ouptut of _cat/templates?v&s=name

(END)name                        index_patterns                   order      version
.watches                    [.watches*]                      2147483647 
.ml-config                  [.ml-config]                     0          7040199
.ml-state                   [.ml-state*]                     0          7040199
.ml-notifications           [.ml-notifications]              0          7040199
.data-frame-internal-2      [.data-frame-internal-2]         0          7040199
.monitoring-logstash        [.monitoring-logstash-7-*]       0          7000199
.management-beats           [.management-beats]              0          70000
.slm-history                [.slm-history-1*]                2147483647 
.monitoring-es              [.monitoring-es-7-*]             0          7000199
.ml-anomalies-              [.ml-anomalies-*]                0          7040199
.data-frame-notifications-1 [.data-frame-notifications-*]    0          7040199
.ml-meta                    [.ml-meta]                       0          7040199
.triggered_watches          [.triggered_watches*]            2147483647 
.logstash-management        [.logstash]                      0          
logstash                    [logstash-*]                     0          60001
syslog_template             [logstash-syslog-%{+YYYY.MM.dd}] 1          7040199
.monitoring-beats           [.monitoring-beats-7-*]          0          7000199
.watch-history-10           [.watcher-history-10*]           2147483647 
.monitoring-alerts-7        [.monitoring-alerts-7]           0          7000199
.monitoring-kibana          [.monitoring-kibana-7-*]         0          7000199

The index settings of my template :

cat /etc/logstash/templates/syslog_template.json

{
  "index_patterns" : "logstash-syslog-%{+YYYY.MM.dd}",
  "order" : 1,
  "version" : 7040199,
  "settings" : {
    "index.refresh_interval" : "5s",
    "number_of_shards": 2
  },

the output of curl -X GET "localhost:9200/_cat/shards"

.kibana_1                  0 r STARTED  2  8.7kb 10.33.109.211 gm2-elk-02.preprod.exo.plop.com
.kibana_1                  0 p STARTED  2 11.2kb 10.33.109.210 gm2-elk-01.preprod.exo.plop.com
.kibana_task_manager_1     0 r STARTED  2 12.5kb 10.33.109.211 gm2-elk-02.preprod.exo.plop.com
.kibana_task_manager_1     0 p STARTED  2  6.7kb 10.33.109.210 gm2-elk-01.preprod.exo.plop.com
logstash-nats-2019.10.28   0 r STARTED  0   283b 10.33.109.211 gm2-elk-02.preprod.exo.plop.com
logstash-nats-2019.10.28   0 p STARTED  0   283b 10.33.109.210 gm2-elk-01.preprod.exo.plop.com
logstash-syslog-2019.10.28 0 r STARTED 32 23.9kb 10.33.109.211 gm2-elk-02.preprod.exo.plop.com
logstash-syslog-2019.10.28 0 p STARTED 32 23.9kb 10.33.109.210 gm2-elk-01.preprod.exo.plop.com
Solution

  • Your index_patterns should be logstash-syslog-*. i.e "index_patterns" : "logstash-syslog-*" as mentioned by @leandrojmp.

    Also, you can avoid using the version field since that's used internally by elasticsearch.

    @leandrojmp - can you please put your comment as an answer so that @Mickael Brandon can accept it.