Enterprise Search indexes various event data such as analytics, API requests, and content source events. These event log indexes would grow infinitely in size without retention management. Since 7.9.0, Enterprise Search manages log retention for you, using Index Lifecycle Management (ILM).
Enterprise search creates several ILM policies that manage the Enterprise Search log indexes as they age, automatically transitioning each through a lifecycle. You can find these policies by their IDs to modify them, or you can create your own policies. See:
Enterprise Search uses ILM as long as the underlying Elastic Stack supports the feature. Also, App Search exposes additional controls to disable logging in that product only. See:
Enterprise Search ILM policy IDsedit
Enterprise Search creates ILM policies with the following IDs:
ent-search-api-ecs-ilm-logs ent-search-app-search-analytics-ecs-ilm-logs ent-search-workplace-search-analytics-ecs-ilm-logs ent-search-workplace-search-content-events-ecs-ilm-logs
Manage ILM policiesedit
Manage the above Enterprise Search ILM policies using UIs in Kibana or APIs in Elasticsearch. See:
- Index Lifecycle Policies in the Kibana documentation
- Index lifecycle management API in the Elasticsearch documentation
Disable logging in App Searchedit
Finally, App Search allows admins and developers to disable logging through its log settings UI and API. Although related to log retention, this is a separate feature that is specific to App Search.
See Log settings guide in the App Search documentation.
Intro to Kibana
ELK for Logs & Metrics