ElastAlert not automation re-create Index after elastalert Index deleted

[quoctuan2311]

Because control for Size Index
I have created an index lifecycle policy and index template to manage it.

PUT _index_template/elastalert
{
  "priority": 100,
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "elastalert-policy"
        },
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "refresh_interval": "5s",
        "number_of_replicas": "0"
      }
    },
    "mappings": {
      "dynamic_templates": [
        {
          "strings_as_keyword": {
            "mapping": {
              "ignore_above": 204800,
              "type": "text"
            }
          }
        }
      ]
    }
  },
  "index_patterns": [
    "elastalert*"
  ],
  "composed_of": [],
  "_meta": {
    "description": "index template for elastalert"
  }
}

PUT _index_template/elastalert
{
  "priority": 100,
  "template": {
    "settings": {
      "index": {
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "refresh_interval": "5s",
        "number_of_replicas": "0"
      }
    },
    "mappings": {
      "dynamic_templates": [
        {
          "strings_as_keyword": {
            "mapping": {
              "ignore_above": 204800,
              "type": "text"
            }
          }
        }
      ]
    }
  },
  "index_patterns": [
    "elastalert*"
  ],
  "composed_of": [],
  "_meta": {
    "description": "index template for elastalert"
  }
}

But after index be delete by index lifecycle policy.
elastalert can not re-create index in elasticsearch.
I know manual execute run script elastalert-create-index in Elast Alert Service

[jertel]

Deleting the ElastAlert 2 index while it's running is equivalent to pulling the rug out from underneath someone. It's going to cause problems.

You will need to perform index pruning in a maintenance window, where you first shutdown ElastAlert 2, then prune the index, and then restart ElastAlert 2.

[quoctuan2311]

My expected is automation management for documents of this index.

Such as,
Document of Index create by elastalert only keep 30d.
After 30d, this document be deleted.

But currently, I have to manually delete old documents from the index where the @timestamp is more than 30d compared to the present. Specific index elastalert_status, it have than 500 documents created after 1d start.

[jertel]

One option is to use a cron or systemd timer that invokes the ES delete API every night, to prune older documents. Ex: https://discuss.elastic.co/t/automatically-delete-older-documents/247078/10. This is a small effort, in the range of hours.

Another option is to submit a PR to ElastAlert 2 for switching to daily indices. This is a much larger effort compared to the first option, in the range of days to weeks depending on your Python and unit test skillset.