securityonion/salt/curator/files/action/delete.yml

{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
  {%- set log_size_limit = salt['pillar.get']('node:log_size_limit', '') -%}
{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
  {%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%}
{%- endif %}
---
# Remember, leave a key empty if there is no value.  None will be a string,
# not a Python "NoneType"
#
# Also remember that all examples have 'disable_action' set to True.  If you
# want to use this action as a template, be sure to set this to False after
# copying it.
actions:
  1:
    action: delete_indices
    description: >-
      Delete indices when {{log_size_limit}}(GB) is exceeded.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-.*|so-.*)$'
    - filtertype: space
      source: creation_date
      use_age: True
      disk_space: {{log_size_limit}}