ELK 教學 - 定期清除 Elasticsearch 資料
https://blog.johnwu.cc/article/elk-purge-elasticsearch-index.html

https://www.elastic.co/guide/en/elasticsearch/client/curator/current/configfile.html

https://www.elastic.co/guide/en/elasticsearch/client/curator/current/ex_delete_indices.html

https://anjia0532.github.io/2017/04/06/elasticsearch-delete-indices-by-date/

config.yml

  
# Remember, leave a key empty if there is no value.  None will be a string,  
# not a Python "NoneType"  
client:  
  hosts:  
    - xxx.xxx.xxx.xxx  
  port: 9200  
  url_prefix:  
  use_ssl: False  
  certificate:  
  client_cert:  
  client_key:  
  ssl_no_validate: False  
  http_auth:  
  timeout: 30  
  #timeout: 60  
  master_only: False  
  
logging:  
  loglevel: INFO  
  logfile:  
  logformat: default  
  blacklist: ['elasticsearch', 'urllib3']

curator_filebeat.yml

  
# Remember, leave a key empty if there is no value.  None will be a string,  
# not a Python "NoneType"  
#  
# Also remember that all examples have 'disable_action' set to True.  If you  
# want to use this action as a template, be sure to set this to False after  
# copying it.  
actions:  
  1:  
    action: delete_indices  
    description: >-  
      Delete indices older than 30 days (based on index name), for logstash-  
      prefixed indices. Ignore the error if the filter does not result in an  
      actionable list of indices (ignore_empty_list) and exit cleanly.  
    options:  
      ignore_empty_list: True  
      disable_action: False  
    filters:  
    - filtertype: pattern  
      kind: prefix  
      value: filebeat-  
    - filtertype: age  
      source: name  
      direction: older  
      timestring: '%Y.%m.%d'  
      unit: days  
      unit_count: 30

curator_heartbeat.yml

  
# Remember, leave a key empty if there is no value.  None will be a string,  
# not a Python "NoneType"  
#  
# Also remember that all examples have 'disable_action' set to True.  If you  
# want to use this action as a template, be sure to set this to False after  
# copying it.  
actions:  
  1:  
    action: delete_indices  
    description: >-  
      Delete indices older than 15 days (based on index name), for logstash-  
      prefixed indices. Ignore the error if the filter does not result in an  
      actionable list of indices (ignore_empty_list) and exit cleanly.  
    options:  
      ignore_empty_list: True  
      disable_action: False  
    filters:  
    - filtertype: pattern  
      kind: prefix  
      value: heartbeat-  
    - filtertype: age  
      #source: name  
      source: creation_date  
      direction: older  
      timestring: '%Y.%m.%d'  
      unit: days  
      unit_count: 15  


  
curator.exe --config config.yml curator_filebeat.yml  


  
curator.exe --config config.yml curator_heartbeat.yml

If very slow or get error, try use curl command line. Delete some indices then use curator again.

  
curl "http://localhost:9200/_cat/indices?v&h=i"  


  
curl -XDELETE "http://xxx.xxx.xxx.xxx:9200/filebeat-6.5.1-2018.12.17"