Is it possible to force_merge an index with ISM and still accept writes after the merge?

Plugins Index Management
1

I am experiencing issues in a cluster where I’m using name-%{+YYYY.MM.dd} style index patterns in combination with Logstash and ISM. This works fine for the most parts, but now and then a batch of older messages gets pushed through the pipeline, causing Logstash to attempt writing to an older index.

When this happens I end up setting a ton of errors like this in the Logstash logs: [INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"cluster_block_exception", "reason"=>"blocked by: [FORBIDDEN/8/index write (api)];"})

I’ve concluded that this is due to the force_merge is adding a write block after it’s run, as per: Actions | Elasticsearch Guide [7.0] | Elastic . Is there any way to have it not being marked as blocking writes? I tried to work around this by adding a read_write action after the force_merge in the ISM policy, but that appears to have done nothing.

2

Update: Turns out that I was too early in my conclusion. The reason adding a read_write after the force_merge didn’t work is because changing the policy doesn’t effect the policy on existing indices, however for the indices created after the policy was changes it works.

I now have a step in the policy that looks look this:

            {
                "name": "warm",
                "actions": [
                    {
                        "force_merge": {
                            "max_num_segments": 1
                        }
                    },
                    {
                        "read_write": {}
                    }
                ],
                "transitions": [
                    {
                        "state_name": "delete",
                        "conditions": {
                            "min_index_age": "7d"
                        }
                    }
                ]
            },