Paul BradleySolutions Architect & Software Developer


Published:

Amazon OpenSearch | Notes

Notes on using Amazon's OpenSearch the distributed search and analytics suite derived from Elasticsearch

midjourney ai - Open Search Cluster

Table of Contents
  1. OpenSearch
  2. Removing a write lock on an index
  3. Deleting records using the delete by query endpoint
  4. Provisioning an OpenSearch Cluster with Terraform

OpenSearch

Amazon OpenSearch Service makes it easy for you to perform interactive log analytics, real-time application monitoring, website search, and more. OpenSearch is an open source, distributed search and analytics suite derived from Elasticsearch.

We use logstash, part of the Elastic Stack, to transfer application log files into an OpenSearch index.

Removing a write lock on an index

I was recently attempting to upgrade a cluster to the latest 2.3 version. However, the pre-production cluster had become full and OpenSearch had put a write lock on the index to protect the cluster.

As there was insufficient space, the upgrade couldn’t be performed. I needed to purge older documents from the cluster. Before I could do that I needed to remove the write block on the index.

I used the following curl command to remove the write block by setting the value to false. In the examples corestl is the name of the index.

curl -X PUT \
     -H "Content-Type: application/json" \
    https://vpc-cluser-id.region.es.amazonaws.com/corestl/_settings \
    -d '{"index": {"blocks": {"write": "false"}}}'

Deleting records using the delete by query endpoint

With the write block removed, I could then use the delete by query endpoint to delete documents from the index older than the 1st of December 2022. The curl command is shown below:

curl -X POST \
     -H "Content-Type: application/json" \
     -d @delete.json \
     https://vpc-cluser-id.region.es.amazonaws.com/corestl/_delete_by_query?timeout=5m&refresh=true&conflicts=proceed

The contents of the delete.json file is shown below:

{
    "query": {
        "bool": {
            "filter": {
                "range": {
                    "@timestamp": {
                        "lte": "2022-12-01 00:00:00.0",
                        "format": "yyyy-MM-dd HH:mm:ss.S" 
                    }
                }
            }
        }
    }
}

Provisioning an OpenSearch Cluster with Terraform

Below is the Terraform template I used to provision the initial OpenSearch Cluster.

resource "aws_elasticsearch_domain" "elastic-ihe-logs" {
    domain_name           = "elastic-ihe-logs"
    elasticsearch_version = "7.10"

    cluster_config {
        instance_count         = 2
        instance_type          = "r5.large.elasticsearch"
        zone_awareness_enabled = true
    }

    vpc_options {
        subnet_ids = var.private_subnets
        security_group_ids = [var.elasticsearch_security_group_id]
    }

    ebs_options {
        ebs_enabled = true
        volume_size = 1000
        volume_type = "gp2"
    }

    encrypt_at_rest {
        enabled = true
    }

    node_to_node_encryption {
        enabled  = true
    }

    domain_endpoint_options {
        enforce_https = true
        tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
    }

    snapshot_options {
       automated_snapshot_start_hour = 04
    }

    access_policies = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-west-2:XXXXXX:domain/elastic-ihe-logs/*"
    }
  ]
}
POLICY

}