0

I'am trying, without any luck, to find the correct syntax / query to delete multiple messages from a graylog2 instance (2.4.6 for both ES and Graylog), based on a pattern matching the "source" field (as seen in graylog webui).

I already tried a lot of comùbination, but non works :

root@log [~]: curl -XDELETE 'http://localhost:9200/graylog_71/message/_query' -d'{"query" : {"term": { "source" : "exact_server_name_here"}}}'
{"found":false,"_index":"graylog_71","_type":"message","_id":"_query","_version":2,"_shards":{"total":1,"successful":1,"failed":0}}

Another try :

root@log [~]: curl -XDELETE 'http://localhost:9200/graylog_71/message/_query' -d '                                                             
{
  "query": {
    "query_string" : {
      "query" : "exact_server_name_here"
    }
  }
}
'

I also checked this SO post, which worked but whch does not fit my needs : Delete a specific log message from Graylog

To answer val comment: Yes the delete plugin is installed (I forgot to mention this in my initial post)

bear with the ES newbie I am :)

Thanks

[edit#1] As per Val request :

root@log [~]: curl 'localhost:9200/_cat/plugins?v'
name component version type url
Pier
  • 618
  • 2
  • 8
  • 23
  • You probably don't have the delete by query plugin. See here: https://stackoverflow.com/questions/40395463/how-to-delete-all-data-from-an-index-using-delete-by-query-plugin-with-es-2-x-v/40395676#40395676 – Val Sep 21 '18 at 08:12
  • @Val it is installed, I updated my question, thanks – Pier Sep 21 '18 at 08:34
  • According to the response you get, it is trying to delete a document whose id is `_id`... can you run this `curl 'localhost:9200/_cat/plugins?v'`? – Val Sep 21 '18 at 08:37
  • Do you have the `delete_by_query` plugin installed for elasticsearch ? – AHT Sep 21 '18 at 12:03
  • @AHT : Yep I do _the delete plugin is installed_ :) – Pier Sep 21 '18 at 12:17

1 Answers1

0

OK, my bad, ES newbie does not excuse everything, the plugin was actually installed, but ES needs to be restarted to make it available (as seen on the _cat/plugin query)

After a restart the following query works flawlessly (of course) :

curl -XDELETE 'http://localhost:9200/graylog_68/message/_query' -d '
{
  "query": {
    "query_string" : {
      "query" : "source : <exact_server_name_here>"
    }
  }
}
'

Thanks to Val for the pointer.

Pier
  • 618
  • 2
  • 8
  • 23