A snapshot lifecycle policy keeps backups happening on schedule, protecting Elasticsearch data from accidental deletions, failed upgrades, and unexpected node loss without relying on manual snapshot runs.
Snapshot lifecycle management (SLM) stores policy definitions in cluster state, executes snapshots on a Quartz cron schedule, and writes them into a registered snapshot repository using a predictable naming scheme (including date math in snapshot names).
A snapshot repository must already exist and be reachable by all nodes before any policy can run, and the API caller needs sufficient privileges to manage snapshots and SLM; when security is enabled, adjust the examples for HTTPS and authentication, and treat schedules as UTC.
Steps to create an Elasticsearch snapshot lifecycle policy:
- Confirm the snapshot repository is registered.
$ curl -s --cacert /etc/elasticsearch/certs/http-ca.crt -u elastic:password "https://localhost:9200/_snapshot?pretty" { "local_fs" : { "type" : "fs", ##### snipped ##### "settings" : { "location" : "/var/lib/elasticsearch/snapshots" } } } - Confirm SLM is running before creating a schedule.
$ curl -s --cacert /etc/elasticsearch/certs/http-ca.crt -u elastic:password "https://localhost:9200/_slm/status?pretty" { "operation_mode" : "RUNNING" } - Create the snapshot lifecycle policy.
$ curl -s --cacert /etc/elasticsearch/certs/http-ca.crt -u elastic:password -H "Content-Type: application/json" -X PUT "https://localhost:9200/_slm/policy/daily-snapshots?pretty" -d '{ "schedule": "0 30 1 * * ?", "name": "<daily-snap-{now/d}>", "repository": "local_fs", "config": { "indices": ["logs-*"], "include_global_state": false }, "retention": { "expire_after": "30d", "min_count": 7, "max_count": 90 } }' { "acknowledged" : true }schedule uses Quartz cron syntax, and the snapshot name supports date math inside < >.
- Execute the policy once to verify it runs.
$ curl -s --cacert /etc/elasticsearch/certs/http-ca.crt -u elastic:password -X POST "https://localhost:9200/_slm/policy/daily-snapshots/_execute?pretty" { "snapshot_name" : "daily-snap-2026.01.06-lhd7xhmvskuux5lrrvdlqa" } - Check that the snapshot reported by the execute call exists in the repository and is in SUCCESS state.
$ curl -s --cacert /etc/elasticsearch/certs/http-ca.crt -u elastic:password "https://localhost:9200/_snapshot/local_fs/daily-snap-2026.01.06-lhd7xhmvskuux5lrrvdlqa?pretty" { "snapshots" : [ { "snapshot" : "daily-snap-2026.01.06-lhd7xhmvskuux5lrrvdlqa", "uuid" : "DgtOcqsFSQaFN6wyCevWpg", "repository" : "local_fs", "indices" : [ "logs-2026.01" ], "include_global_state" : false, "state" : "SUCCESS", "start_time" : "2026-01-06T14:52:20.872Z", "end_time" : "2026-01-06T14:52:20.872Z" ##### snipped ##### } ], "total" : 1, "remaining" : 0 } - Check policy status for last success and next execution time.
$ curl -s --cacert /etc/elasticsearch/certs/http-ca.crt -u elastic:password "https://localhost:9200/_slm/policy/daily-snapshots?pretty" { "daily-snapshots" : { "version" : 1, "modified_date_millis" : 1767711135158, "policy" : { "schedule" : "0 30 1 * * ?", "name" : "<daily-snap-{now/d}>", "repository" : "local_fs", "config" : { "indices" : [ "logs-*" ], "include_global_state" : false }, "retention" : { "expire_after" : "30d", "min_count" : 7, "max_count" : 90 } }, "last_success" : { "snapshot_name" : "daily-snap-2026.01.06-lhd7xhmvskuux5lrrvdlqa" ##### snipped ##### }, "next_execution_millis" : 1767749400000, "stats" : { "snapshots_taken" : 1, "snapshots_failed" : 0 } } }
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
