Hi 

Yesterday we encountered hibernate bug 
https://hibernate.atlassian.net/browse/HHH-3006, which provoked a huge load 
of useless logstash traces (there was already 400.000 when we detected the 
problem and enforced a more severe log level). So I tried to wipe out all 
these useless record from elasticsearch. I reffered to the documentation 

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/docs-get.html
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/docs-delete-by-query.html

but could not find an easy way to make a GET, check the results are what I 
want to delete, then make a DELETE. If such functionality exists, please 
add it to the docs. I ended querying this, which is the query made by 
logstash to filter the results I want:
*curl -XGET http://myserver:9200/_all/_search?pretty -d '{  "query": {    
"filtered": {      "query": {        "bool": {          "should": 
[            {              "query_string": {                "query": 
"*"              }            }          ]        }      },      "filter": 
{        "bool": {          "must": [            {              "fquery": 
{                "query": {                  "query_string": 
{                    "query": 
"idsession:(\"A7C571A26A606B210563EDBAF1AC7A37\")"                  
}                },                "_cache": true              }            
}          ]        }      }    }  }}'*

Then I tried to use the same query to make a DELETE of the data, but got 
several errors and followed the doc in order to have a valid call url. I 
ended with this:
* curl -XDELETE http://myserver:9200/logstash-2014.04.02?pretty -d '{  
"query": {    "filtered": {      "query": {        "bool": {          
"should": [            {              "query_string": {                
"query": "*"              }            }          ]        }      },      
"filter": {        "bool": {          "must": [            {              
"fquery": {                "query": {                  "query_string": 
{                    "query": 
"idsession:(\"A7C571A26A606B210563EDBAF1AC7A37\")"                  
}                },                "_cache": true              }            
}          ]        }      }    }  }}'*

*{*
*  "acknowledged" : true*
*}*

But the result was not as expected: I found out that elasticsearch had 
purely ignored the filter and simply deleted all the data from that index. 
I let you imagine my frustration when I realized that rather than spending 
a lot of hours experimenting and trying to apply the docs, I could have 
just made a rm -rf somewhere and got the same disappointing result in no 
time.

So now that the big failure is done, I would like to know how I should have 
done. There must be a way to test a query before actually sending the 
delete, right?

Thanks for reading

Aldian

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/8920d534-d09b-4867-b097-6938c17040ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to