Close Indexes
21 views
Skip to first unread message
Jorge Moya Albarran
Sep 2, 2025, 8:48:08 AM (5 days ago) Sep 2
to Wazuh | Mailing List
Good afternoon,
Can you help me with this? I need to know how I can automate the process so that indexes that are 200 days old are changed from “open” to “close” so that they don't take up resources, and do this automatically with new indexes that are created in the future. The ones I want to change to “close” are wazuh-alerts* and wazuh-statistics*.
Thank you very much, best regards.
Can you help me with this? I need to know how I can automate the process so that indexes that are 200 days old are changed from “open” to “close” so that they don't take up resources, and do this automatically with new indexes that are created in the future. The ones I want to change to “close” are wazuh-alerts* and wazuh-statistics*.
Thank you very much, best regards.
Isaac Yusuf
Sep 2, 2025, 10:41:13 AM (5 days ago) Sep 2
to Wazuh | Mailing List
Hello,
Instead of <index-name>, it should have the index for that specific date you want to close.
There is no option to configure a "Close" in the Index Lifecycle Management.
But this is the command in the DevTool to close an index:
POST /<index-name>/_close
Instead of <index-name>, it should have the index for that specific date you want to close.
Please keep in mind that you will be able to use "*" to specify patterns that identify the index. So the command: POST /wazuh-alerts-4.x-2025.08.*/_close - will close all the alerts in August 2025 (you can do the same to close all the indexes for the whole year).
Also, with this, to automate the process, it will be possible to create a crontab script on the server side that will run it for you every day to close an index that is older than 200 days. curl -X POST "localhost:9200/ <index-name>/_close" - in this case, you will need to set <index-name> pattern according to the date you need.
Reply all
Reply to author
Forward
0 new messages