Need Help With Open Distro ISM Index Templates

[CarlosTheSysAdmin]

tl;dr

I cannot change the "number_of_replicas"  for my .opendistro-ism-managed-index-history* indices despite changing this setting in the corresponding index template.

Hi, all. I'm having some difficulties with changing the replica count in the index template that is responsible for generating my .opendistro-ism-managed-index-history* indices. I don't have this issue with the "wazuh" or "wazuh-agent" index templates, as I have been able to easily change the "number_of_replicas" using a simple PUT request.

I created the following index template that should change the replica count of the .opendistro-ism-managed-index-history* indices:

PUT _index_template/ism_history_indices
{
  "index_patterns": [
    ".opendistro-ism-managed-index-history-*"
  ],
  "template": {
    "settings": {
      "number_of_replicas": 6
    }
  }
}

However, when I view the most recent .opendistro-ism-managed-index-history* indices, the replica count has not changed to my desired value of 6.

Any help is appreciated. Thank you!

[Maximiliano Ibarra]

Hi Carlos.
First of all, thanks for contacting us.

If you want to update the replicas for the already created opendistro-ism-managed-index-history-* indices, you may run the following query in the Opendistro server:

curl -k -u <user>:<pass> -XPUT 'https://localhost:9200/opendistro-ism-managed-index-history-*/_settings' -H 'Content-Type: application/json' -d '{ "index": { "number_of_replicas": "0", "auto_expand_replicas":"false" } }'

I hope I have helped you.
Best regards.

[CarlosTheSysAdmin]

Thank you for your help and your promptness!

Unfortunately I've been using your solution to temporarily fix this issue. At the end of every week, I manually update the "number_of_replicas" for all opendistro-ism-managed-index-history-* indices to my desired value.

I should have clarified that I want all newly created indices to have my desired settings without user intervention (without manually changing the replica count via an API request). I successfully accomplished to do this for all of my wazuh-monitoring-* and wazuh-statistics-* indices by modifying their respective index templates. Now, whenever a new wazuh-monitoring-* or wazuh-statistics-* index is created, my desired replica count setting is automatically applied by the templates.

However, when I modify the index template for the opendistro-ism-managed-index-history-* indices, my changes are not reflected in the newly created indices.

[Maximiliano Ibarra]

Hi Carlos, 
I was researching how we can change the default "number_of_replicas"  value in open distro index.
A possible solution could be the following:

1. Create an index template to reduce the number of replicas: https://opendistro.github.io/for-elasticsearch-docs/docs/im/ism/settings/#audit-history-indices
   
2. Create a policy, which is connected with the template through alias
   and policies require states https://opendistro.github.io/for-elasticsearch-docs/docs/im/ism/
3. Run this command to change the default settings.   https://opendistro.github.io/for-elasticsearch-docs/docs/elasticsearch/configuration/
   PUT /_cluster/settings
   {
   "persistent" : {
   "opendistro" : {
   "index_state_management" : {
   "history" : {
   "number_of_replicas" : "0"
   }
   }
   }
   }
   }
   

I suggest you read all documentation first to understand how all works. And then, try to make the configuration changes.
I hope that information could help you.
Best regards

[moosemaimer]

I applied that PUT command and now my server stays green, thank you for finding that.