I am not sure if the data is actually deleted synchronously with your request or if it is deleted asynchronously, (meaning eventually) after your request completes. I would imagine the latter, but that is a guess on my part.
On Wed, Sep 6, 2017 at 5:43 PM Frank Horsfall < [email protected]> wrote: > Thanks Nick. > > > > If I delete the indices will they only be regenerated from data stored > elsewhere or is the data removed after the indices are created?? Sorry if > the question sounds dumb. I’m still coming up to speed with the product. > > > > Frank > > > > > > > > *From:* Nick Allen [mailto:[email protected]] > *Sent:* Wednesday, September 6, 2017 5:19 PM > *To:* [email protected] > *Subject:* Re: Clearing of data to start over > > > > Hi Frank - > > > > (1) Here is a link on how to delete indices from Elasticsearch. It is as > simple as a "DELETE /bro*". > https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-delete-index.html. > > > > > (2) Check and see if YAF is running with a command-line argument > "--idle-timeout 0". That causes YAF to write a flow record for each > packet. We only do that to drive test data through the system. In a live > system just remove that argument. > > > > (3) For Snort, you need to reload the rule set after you make a change. > You can use "service snortd reload" or send a SIGHUP to the running process. > > > > On Wed, Sep 6, 2017 at 5:00 PM Frank Horsfall < > [email protected]> wrote: > > Hello all, > > I have installed a 3 node system using the bare metal Centos 7 guideline. > > > > > https://cwiki.apache.org/confluence/display/METRON/Metron+0.4.0+with+HDP+2.5+bare-metal+install+on+Centos+7+with+MariaDB+for+Metron+REST > > > > It has taken me a while to have all components working properly and I left > the yaf,bro,snort apps running so quite a lot of data has been generated. > Currently, I have almost 18 million events identified in Kibana. 16+ > million are yaf based, and 2+ million are snort …. 190 events are my new > squid telemetry, J. It looks like it still has a while to go before it > catches up to current day. I recently shutdown the apps. > > > > > > My questions are: > > > > 1. Is there a way to wipe all my data and indices clean so that I > may now begin with a fresh dataset? > > 2. Is there a way to configure yaf so that its data is meaningful ? > It is currently creating what looks to be test data? > > 3. I have commented out the test snort rule but it is still > generating the odd record which looks once again looks like test data. Can > this be stopped as well? > > > > Kindest regards, > > Frank > > > > > > > >
