Hello,
I'm opening this old treath because I have the same problem.
I used the same command to delete every message with source as target.
For example:
curl -XGET 'http://10.101.81.199:9200/graylog2_20/message/_search?pretty'
My output is :
{
"_index" : "graylog2_20",
"_type" : "message",
"_id" : "9d8cd406-605f-11e5-943e-005056a9199b",
"_score" : 1.0,
"_source":{"gl2_source_node":"297d10be-8e9e-4021-9ab6-deedd27202ce",
"s-ip":"10.101.250.209","time-taken":73,"csUser-Agent":
"Jakarta+Commons-HttpClient/3.1","EventReceivedTime":"2015-09-21 08:54:28",
"date":"2015-09-21","request_time":"12:54:24","version":"1.1","s-port":443,
"timestamp":"2015-09-21 12:54:28.000","SourceModuleName":"iis","time":
"12:54:24","level":6,"_id":"9d8cd406-605f-11e5-943e-005056a9199b",
"gl2_source_input":"5585b15184ae398b735b8d36","c-ip":"64.145.75.146",
"SourceModuleType":"im_file","full_message":"2015-09-21 12:54:24
10.101.250.209 GET /p1/clients/6035757/populationData
Jakarta+Commons-HttpClient/3.1 200 0 0 73","cs-uri-stem":
"/p1/clients/6035757/populationData","sc-win32-status":0,"cs-method":"GET",
"message":"2015-09-21 12:54:24 10.101.250.209 GET /p1/clients/6035757/popul"
,"sc-status":"200","SourceName":"IIS","sc-substatus":0,*"source":"SERVER-1"*
,"streams":[]}
So I want to delete every input with source: SERVER-1 in index graylog2_20.
I tried with the following command but the output is null, I'm testing with
XGET.
# curl -XGET 'http://10.101.81.199:9200/graylog2_20/messages/_query' -d '{
"query_string": {
"default_field" : "source",
"query": "SERVER-1"}}'
Output:
{"_index":"graylog2_20","_type":"messages","_id":"_query","found":false}
someone knows how to Delete by source?.
Thank you.
On Thursday, January 16, 2014 at 6:26:40 AM UTC-3, Jean-Luc Bassereau wrote:
>
> That looks something like this for me :
>
> curl -XDELETE 'http://127.0.0.1:9200/graylog2_*/message/_query' -d ' {
> "query_string" : { "default_field" : "host", "query" : "HOSTNAME" } }'
>
>
> 2014/1/16 Kay Röpke <[email protected] <javascript:>>
>
>> Hi!
>>
>> You mean the ones listed on the "Sources" page?
>> Those are calculated from the messages in the current indices. Based on
>> your retention settings the hosts listed there will eventually go away.
>>
>> Graylog2 currently doesn't have a method to delete data, if you really
>> have to get rid of it, going to elasticsearch directly is your best bet at
>> this point:
>>
>> http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/docs-delete-by-query.html
>>
>> Best,
>> Kay
>>
>> On Thursday, January 16, 2014 10:06:40 AM UTC+1, Martin Zeug wrote:
>>>
>>> Hi I installed rc1 - works great. But how to remove old sources not uses
>>> anymore?
>>>
>>> Greetings,
>>>
>>> Martin
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "graylog2" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
>
> --
> Cordialement,
> Jean-Luc Bassereau
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/0e551aea-366a-48e4-af8d-5aacc1f39446%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
