12

I am new to ELK stack and playing around with it in a development environment. That's why I end up deleting an index (DELETE /index_name) and recreating multiple times. Deleting an index that I created works fine, but I notice that there are few lingering system indices, like .monitoring-es-2-2017.02.05.

Screenshot of system indices

  • What is the purpose of these indices?
  • Is each one of those created for a corresponding index?
  • How do I delete them?

NOTE: I have seen the suggestion to use /* to delete everything. But that sounds risky. I don't want to delete index pattern or Visualization or the templates. I only want to delete the data and repopulate with updated data.

javakurious
  • 487
  • 6
  • 13

1 Answers1

14

These indices are created by the Elastic X-Pack monitoring component. X-Pack components are elasticsearch plugins and thus store their data, like Kibana, in elasticsearch. Unlike the .kibana index these indices are created daily because they contain timeseries monitoring data about elasticsearch's performance. Deleting them will have no impact on your other indices.

As @Val pointed out in the comments, you can use /.monitoring-* to only delete these indices and ensure you do not wipe out any other indices, you may find the data in these indices useful as you evaluate the ELK stack and leaving them should not negatively impact you except in the disk space and small amount of memory they occupy.

Community
  • 1
  • 1
Will Barnwell
  • 4,049
  • 21
  • 34
  • I found these to impact the rebalancing, which was extremely annoying, and compounded by the fact ElasticSearch doesn't take into account the shard size when rebalancing (just shard count). So you can easily run into cases where some nodes run out of space even though it's all balanced. ANNOYING! – Henley Nov 27 '17 at 18:41