使用sh脚本删除

searchIndex=filebeat
elastic_url=192.168.98.136
elastic_port=9200
saveday=7


date2stamp () {
    date --utc --date "$1" +%s
}

dateDiff (){
    case $1 in
        -s)   sec=1;      shift;;
        -m)   sec=60;     shift;;
        -h)   sec=3600;   shift;;
        -d)   sec=86400;  shift;;
        *)    sec=86400;;
    esac
    dte1=$(date2stamp $1)
    dte2=$(date2stamp $2)
    diffSec=$((dte2-dte1))
    if [ ${diffSec} -lt 0 ]; then abs=-1; else abs=1; fi
    echo $((diffSec/sec*abs))
}


for index in $(curl -s "${elastic_url}:${elastic_port}/_cat/indices?v" | grep  "${searchIndex}" | grep "_log-20[0-9][0-9]\.[0-1][0-9]\.[0-3][0-9]" | awk '{print$3}'); do
        date=$(echo ${index##*-} | sed 's/\./-/g')
        cond=$(date +%Y-%m-%d)
        diff=$(dateDiff -d $date $cond)
        echo -n "${index}****diff**** (${diff})"
        if [ $diff -gt ${saveday} ]; then
          echo "!!!DELETE ${index}"
          curl -XDELETE "${elastic_url}:${elastic_port}/${index}?pretty"
        else
          echo ""
        fi
done

添加定时

crontab -e

# 添加以下内容
00 03 * * * /usr/local/elk/elasticsearch-8.17.0/delete_es_by_day.sh > /dev/null 2>&1

#验证是否已添加
crontab -l|tail -2

参考: elasticsearch按照日期定时删除索引
参考: removing-old-indices-in-elasticsearch