Hi Yesterday we encountered hibernate bug https://hibernate.atlassian.net/browse/HHH-3006, which provoked a huge load of useless logstash traces (there was already 400.000 when we detected the problem and enforced a more severe log level). So I tried to wipe out all these useless record from elasticsearch. I reffered to the documentation
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/docs-get.html http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/docs-delete-by-query.html but could not find an easy way to make a GET, check the results are what I want to delete, then make a DELETE. If such functionality exists, please add it to the docs. I ended querying this, which is the query made by logstash to filter the results I want: *curl -XGET http://myserver:9200/_all/_search?pretty -d '{ "query": { "filtered": { "query": { "bool": { "should": [ { "query_string": { "query": "*" } } ] } }, "filter": { "bool": { "must": [ { "fquery": { "query": { "query_string": { "query": "idsession:(\"A7C571A26A606B210563EDBAF1AC7A37\")" } }, "_cache": true } } ] } } } }}'* Then I tried to use the same query to make a DELETE of the data, but got several errors and followed the doc in order to have a valid call url. I ended with this: * curl -XDELETE http://myserver:9200/logstash-2014.04.02?pretty -d '{ "query": { "filtered": { "query": { "bool": { "should": [ { "query_string": { "query": "*" } } ] } }, "filter": { "bool": { "must": [ { "fquery": { "query": { "query_string": { "query": "idsession:(\"A7C571A26A606B210563EDBAF1AC7A37\")" } }, "_cache": true } } ] } } } }}'* *{* * "acknowledged" : true* *}* But the result was not as expected: I found out that elasticsearch had purely ignored the filter and simply deleted all the data from that index. I let you imagine my frustration when I realized that rather than spending a lot of hours experimenting and trying to apply the docs, I could have just made a rm -rf somewhere and got the same disappointing result in no time. So now that the big failure is done, I would like to know how I should have done. There must be a way to test a query before actually sending the delete, right? Thanks for reading Aldian -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8920d534-d09b-4867-b097-6938c17040ac%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
