Hi Daniel, you could use the Elasticsearch Update API <https://www.elastic.co/guide/en/elasticsearch/reference/1.7/docs-update.html> and the integrated scripting for this.
See https://stackoverflow.com/questions/29002215/remove-a-field-from-a-elasticsearch-document for a rough idea how to delete a field from one document. You would need to retrieve all document IDs and iterate over them, e. g. in a small script. Also make sure to "optimize" ("force merge" in Elasticsearch 2.x, see https://www.elastic.co/guide/en/elasticsearch/reference/1.7/indices-optimize.html) the updated indices after the modifications. Cheers, Jochen On Thursday, 28 April 2016 10:31:35 UTC+2, Daniel Kamiński wrote: > > Hello > I was playing with snmp some time ago, it created multiple* fields with > dots*. Now new ES doesn't support dots in fields names so I cannot > upgrade to graylog 2.0. Messages with those fields contain* no valuable > data*, so I'd like to *delete *them from few past indices (yes, I know, I > have to *unlock *them first). Is there any ES magic i can use to do this > semi-automatically or i have to parse mapping json for fields (this is `jq` > query I came up with for now: > `.graylog_158.mappings.message.properties|keys|map(match(".*\\..*"))[].string`) > > and delete every message containing fields parsing spits out? (_exists_: > doesn't seems to work with wildcards) > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/82223ab6-391d-4e71-a75b-7870acf8f797%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
