Hello,
I’m currently running a hot-warm architecture with 3 hot and 3 warm elasticsearch nodes. I would like to break these into separate clusters and use the new ES features to ship my logs from prod to archive. I will query the archive cluster with Kibana so graylog will only be accessing the production indexes. The question I have is; after i break the clusters apart is there a good way for me delete all of the archive indexes from graylog without doing them individually in the UI? I know i can do the delete curling ES directly and then do some work in mongo to make graylog aware of the change but is that best practice?
Any tips or comments on this plan are welcome.
Thanks,
JCS