Index Lifecycle Management (ILM) problems

Hi, me again.
I’m having some ILM problems or maybe it’s understanding, anyway.
This is my elastiflow policy for flows:
{
“policy”: “elastiflow”,
“phase_definition”: {
“min_age”: “0ms”,
“actions”: {
“rollover”: {
“max_age”: “1d”,
“max_primary_shard_docs”: 200000000,
“min_docs”: 1,
“max_primary_shard_size”: “30gb”
},
“forcemerge”: {
“max_num_segments”: 1,
“index_codec”: “best_compression”
}
}
},
“version”: 3,
“modified_date_in_millis”: 1753685962928
}
And this is my :

“.ds-elastiflow-flow-ecs-8.0-2.5-tsds-2025.07.27-000001”, not sure if it needs to have the “.” before the name but that’s how it was created. It is also over 30gb in size.
So my question, is that supposed to happen?
It is tsds and every index having elastiflow, ecs was deleted before I activated flowcoll. Reading documentation it says I should enable synthetic source to reduce size? A bit lost there.
Is there a way to make it akin to log rotate? Compress and create a new one, or does it not work that way?

Did you see this earlier post regarding ILM and TSDS?

For testing I know I had asked you to remove all the index templates and disable TSDS. If you have re-enabled it, you will likely need to do what @rob suggests in this earlier post to get things to rollover properly.

Also, you may want to review this information on storage optimization that was introduced in NetObserv Flow in 7.11.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.