I got sick of having to trim my Logstash indices in Elasticsearch manually, so I created a PowerShell script and set it as a scheduled task. By default it keeps the last 60 days.

1
2
3
4
5
6
7
8
9
10
11
12
13
#Replace with the URL of your Elasticsearch instance
$url = "http://elasticsearch:9200/"
#Replace with how many days you want to keep, minus one (below means 60)
$i = 59
$request = (Invoke-WebRequest -Uri $url/_aliases).content | ConvertFrom-Json
$indices = $request | Get-Member | where {$_.name -like "logstash*"} | select name | sort name -Descending
$count = $indices.count
do {
    $var = $indices[$i].name
    Invoke-WebRequest -Uri $url/$var/ -Method Delete
    $i++
}
until ($i -eq $count)

Works well, but it doesn’t send a report or anything that it has been done.