Index rollover keeps log and time-series indices from growing indefinitely, reducing shard overhead and keeping searches and recoveries fast while retaining historical data.

Rollover operates on an alias rather than a concrete index. A write alias such as logs-write targets the current generation (logs-000001) with is_write_index set, and the rollover API creates the next generation (logs-000002) when conditions like document count, age, or size are met while leaving older indices searchable under the same alias.

Index names should end with a zero-padded counter so the next generation name can be derived automatically. All ingest clients must write to the alias rather than the underlying index name, and secured clusters may require authentication and TLS options in curl (for example, --user and --cacert). For automated rollovers and retention, pair aliases with index templates and ILM policies so new indices inherit mappings, settings, and lifecycle actions.

Related: How to create and manage index templates in Elasticsearch
Related: How to create an index lifecycle policy in Elasticsearch

Steps to perform an index rollover in Elasticsearch:

  1. Create the initial index with a write alias marked as is_write_index. 
    $ curl -s -H "Content-Type: application/json" -X PUT "http://localhost:9200/logs-000001?pretty" -d '{
  "aliases": {
    "logs-write": {
      "is_write_index": true
    }
  }
}'
{
  "acknowledged" : true,
  "shards_acknowledged" : true,
  "index" : "logs-000001"
}

    A zero-padded numeric suffix (-000001) enables automatic name incrementing during rollover.

  2. Index a test document through the write alias. 
    $ curl -s -H "Content-Type: application/json" -X POST "http://localhost:9200/logs-write/_doc?refresh=true&pretty" -d '{
  "@timestamp": "2026-01-06T05:00:00Z",
  "message": "rollover smoke test"
}'
{
  "_index" : "logs-000001",
  "_id" : "tjXCk5sBM9r8KKMaSDeq",
  "_version" : 1,
  "result" : "created",
  "forced_refresh" : true,
  "_shards" : {
    "total" : 2,
    "successful" : 1,
    "failed" : 0
  },
  "_seq_no" : 0,
  "_primary_term" : 1
}

    Writes sent to logs-write remain stable even when the backing index generation changes.

  3. Run the rollover API against the write alias with a met condition. 
    $ curl -s -H "Content-Type: application/json" -X POST "http://localhost:9200/logs-write/_rollover?pretty" -d '{
  "conditions": {
    "max_docs": 1
  }
}'
{
  "acknowledged" : true,
  "shards_acknowledged" : true,
  "old_index" : "logs-000001",
  "new_index" : "logs-000002",
  "rolled_over" : true,
  "dry_run" : false,
  "conditions" : {
    "[max_docs: 1]" : true
  }
}

    Append dry_run=true to the rollover request to evaluate condition status without creating a new index.

    Extremely low rollover thresholds can create a large number of small indices, increasing cluster state size and management overhead.

  4. Verify the alias marks the new index as the write target. 
    $ curl -s "http://localhost:9200/_alias/logs-write?pretty"
{
  "logs-000001" : {
    "aliases" : {
      "logs-write" : {
        "is_write_index" : false
      }
    }
  },
  "logs-000002" : {
    "aliases" : {
      "logs-write" : {
        "is_write_index" : true
      }
    }
  }
}
  5. Index another test document through the alias. 
    $ curl -s -H "Content-Type: application/json" -X POST "http://localhost:9200/logs-write/_doc?refresh=true&pretty" -d '{
  "@timestamp": "2026-01-06T05:00:30Z",
  "message": "post-rollover write"
}'
{
  "_index" : "logs-000002",
  "_id" : "uDXCk5sBM9r8KKMagTeQ",
  "_version" : 1,
  "result" : "created",
  "forced_refresh" : true,
  "_shards" : {
    "total" : 2,
    "successful" : 1,
    "failed" : 0
  },
  "_seq_no" : 0,
  "_primary_term" : 1
}

    The response _index field indicates the concrete index that received the write.

  6. List the indices that match the rollover pattern. 
    $ curl -s "http://localhost:9200/_cat/indices/logs-*?v"
health status index        uuid                   pri rep docs.count docs.deleted store.size pri.store.size dataset.size
yellow open   logs-000001  fxX3PJGCSKKL_xaGyLDpzw   1   1          1            0      5.1kb          5.1kb        5.1kb
green  open   logs-2024.12 WC20x27IQYOYFhqwHOUyYw   1   0          0            0       249b           249b         249b
yellow open   logs-2026.01 02UAx9saS3iMRNG8Erl3LQ   1   1          2            0        6kb            6kb          6kb
yellow open   logs-2024.05 1J02S-r0TdSzF2kCApuQKg   1   1          0            0       249b           249b         249b
yellow open   logs-000002  K0jCR0fBThOcC2BV7JO5rA   1   1          1            0       227b           227b         227b

    Yellow health can be expected on single-node clusters when replicas cannot be allocated.