Always keep under docs.deleted after Delete By Query API

lauea · February 9, 2018, 7:34am

Hi guys,

These days I deleted documents by Query API. Below is my command to delete my document by Query API.

curl -XPOST 'http://elasticsearch:9200/myindex/_delete_by_query?pretty' -H 'Content-Type: application/json' -d'
{
  "query": {
    "range" : {
        "createTime" : {
           "lte" : "2018-02-08"
        }
    }
  }
}
'

After took effect to delete document by Query API. But it always keep under docs.deleted. Here you are to see:

[user@elk ~]$ curl -XGET "http://elasticsearch:9200/_cat/indices/myindex  ?v"
health status index    uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   myindex  STGtht6tes2upE4WrSOKTg   5   1   46420892      3271000     29.3gb         14.3gb

In additional, it still occupied the store.size.

If anyone know how to release the deleted size. Restart all cluster node?

Regards/Eason

dadoonet · February 9, 2018, 7:56am

A _forcemerge should help.

Note that is the reason using timebased indices is much better!

lauea · February 9, 2018, 8:09am

HI @dadoonet,

You mean need to _forcemerge and will really delete it?
If user timebased indices, it will delete whole indice, which is not my expectation. So that I use _delete_by_query.

dadoonet · February 9, 2018, 8:34am

Yes. This is what I meant. Force merge API | Elasticsearch Guide [8.11] | Elastic

If user timebased indices, it will delete whole indice, which is not my expectation. So that I use _delete_by_query.

But your request shows: "lte" : "2018-02-08" here?

Which is basically the same thing as doing something like:

DELETE 2017-*,2018-01-*,2018-02-01,2018-02-02,2018-02-03,2018-02-04,2018-02-05,2018-02-06,2018-02-07,2018-02-08

But my version of it is a way much more efficient than your way!

So if it's a one time only operation, using the DELETE BY QUERY could be fine as long as you remove only a small subset of the data. Otherwise, if you meant to keep like 10% of the data, it's better to use REINDEX API and drop the old index.
If it's a task you are going to run every day, then use timebased indices and then use Curator to automate that index removal every day.

lauea · February 9, 2018, 8:55am

Oh. One thing to be mentioned, I only have one index to store all data, not separate them by date postfix for indice name. So I only one way to delete the document of indice instead of indices.

dadoonet · February 9, 2018, 9:27am

That's exactly what I meant.
It's wrong IMO and you should revisit your architecture.

system · March 9, 2018, 9:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
When deleting by query api all my documents get deleted Elasticsearch	3	451	February 9, 2018
Delete by query deletes only 1000 documents, then quits Elasticsearch	8	197	February 5, 2024
When deleting by query api the number of deleted_docs and index size_in_bytes does not decrease Elasticsearch	3	1074	July 6, 2017
After 10 millions documents deleted, I just won 500 mo Elasticsearch	4	588	January 16, 2017
How can I delete documents 3 months older? Kibana	6	245	July 5, 2023

Always keep under docs.deleted after Delete By Query API

Related topics