Hi Juan, you pretty much only have to replace your last GET request with a DELETE request, see https://www.elastic.co/guide/en/elasticsearch/reference/1.7/docs-delete-by-query.html for reference and Jean-Luc's last post for an example.
Cheers, Jochen On Thursday, 1 October 2015 16:56:31 UTC+2, Juan Andres Ramirez wrote: > > Hello, > I'm opening this old treath because I have the same problem. > I used the same command to delete every message with source as target. > For example: > > curl -XGET 'http://10.101.81.199:9200/graylog2_20/message/_search?pretty' > > My output is : > > { > "_index" : "graylog2_20", > "_type" : "message", > "_id" : "9d8cd406-605f-11e5-943e-005056a9199b", > "_score" : 1.0, > "_source":{"gl2_source_node":"297d10be-8e9e-4021-9ab6-deedd27202ce", > "s-ip":"10.101.250.209","time-taken":73,"csUser-Agent": > "Jakarta+Commons-HttpClient/3.1","EventReceivedTime":"2015-09-21 08:54:28" > ,"date":"2015-09-21","request_time":"12:54:24","version":"1.1","s-port": > 443,"timestamp":"2015-09-21 12:54:28.000","SourceModuleName":"iis","time": > "12:54:24","level":6,"_id":"9d8cd406-605f-11e5-943e-005056a9199b", > "gl2_source_input":"5585b15184ae398b735b8d36","c-ip":"64.145.75.146", > "SourceModuleType":"im_file","full_message":"2015-09-21 12:54:24 > 10.101.250.209 GET /p1/clients/6035757/populationData > Jakarta+Commons-HttpClient/3.1 200 0 0 73","cs-uri-stem": > "/p1/clients/6035757/populationData","sc-win32-status":0,"cs-method":"GET" > ,"message":"2015-09-21 12:54:24 10.101.250.209 GET > /p1/clients/6035757/popul","sc-status":"200","SourceName":"IIS", > "sc-substatus":0,*"source":"SERVER-1"*,"streams":[]} > > > So I want to delete every input with source: SERVER-1 in index graylog2_20. > > I tried with the following command but the output is null, I'm testing > with XGET. > > # curl -XGET 'http://10.101.81.199:9200/graylog2_20/messages/_query' -d '{ > "query_string": { > "default_field" : "source", > "query": "SERVER-1"}}' > > > Output: > {"_index":"graylog2_20","_type":"messages","_id":"_query","found":false} > > someone knows how to Delete by source?. > > Thank you. > > > > On Thursday, January 16, 2014 at 6:26:40 AM UTC-3, Jean-Luc Bassereau > wrote: >> >> That looks something like this for me : >> >> curl -XDELETE 'http://127.0.0.1:9200/graylog2_*/message/_query' -d ' { >> "query_string" : { "default_field" : "host", "query" : "HOSTNAME" } }' >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c1965d2c-fdae-4eb6-ae27-16f0fe3ee963%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
