Delete All ES 2.4.1 Data for a Given filebeat Host

Elastic Stack Elasticsearch
1

Hi
Trying to clear all data belonging to a particular beat host. Started with the following query:
curl -XGET 'localhost:9200/filebeat-2017.05.10/_search?pretty' -H 'Content-Type: application/json' -d '{"query":{"filtered":{"query":{"query_string":{"query":"(beat.hostname:$BEAT_HOSTNAME)"}}}}}', which returns the desired results. I was hoping after installing delete-by-query, and replacing GET with DELETE the removal should take place. However, I get the following:
No handler found for uri [/filebeat-2017.05.10/_search?pretty] and method [DELETE]

(Probably, I am doing this wrong.) Any ideas as how to remove beat data for a given host?
Cheers,

2

Looks like you are using the wrong syntax for delete by query plugin. It should be _query instead of _search. Check out https://www.elastic.co/guide/en/elasticsearch/plugins/2.4/delete-by-query-usage.html

3

Hi
Thank you for your reply. "_query" does not seem to be a valid option in 2.4.1:

GET:
curl -XGET 'localhost:9200/filebeat-2017.05.10/_query?pretty' -d '{"query":{"filtered":{"query":{"query_string":{"query":"($BEAT_HOSTNAME)"}}}}}'
{
"error" : {
"root_cause" : [ {
"type" : "illegal_argument_exception",
"reason" : "No feature for name [_query]"
} ],
"type" : "illegal_argument_exception",
"reason" : "No feature for name [_query]"
},
"status" : 400
}

DELETE:
curl -XDELETE 'localhost:9200/filebeat-2017.05.10/_query?pretty' -d '{"query":{"filtered":{"query":{"query_string":{"query":"($BEAT_HOSTNAME)"}}}}}'
No handler found for uri [/filebeat-2017.05.10/_query?pretty] and method [DELETE]

Cheers,

4

It worked fine for me on 2.4.1

DELETE test/_query
{
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "anh"
        }
      }
    }
  }
}

{
  "took": 201,
  "timed_out": false,
  "_indices": {
    "_all": {
      "found": 3,
      "deleted": 3,
      "missing": 0,
      "failed": 0
    },
    "test": {
      "found": 3,
      "deleted": 3,
      "missing": 0,
      "failed": 0
    }
  },
  "failures": [

  ]
}

Have you done this?

The plugin must be installed on every node in the cluster, and each node must be restarted after installation.

If yes, perhaps install the Kopf plugin GitHub - lmenezes/elasticsearch-kopf: web admin interface for elasticsearch and run the query from there.

5

Thank you for your reply. I am wondering if you have the opportunity to try the above on a filebeat server. I have tried 2 variations:
1- curl -XDELETE 'localhost:9200/filebeat-/_query' -H 'Content-Type: application/json' -d '{"query":{"filtered":{"query":{"query_string":{"query":"SomeHostName"}}}}}'
No handler found for uri [/filebeat-/_query] and method [DELETE]
2- curl -XDELETE 'localhost:9200/filebeat-/_query' -H 'Content-Type: application/json' -d '{"query":{"filtered":{"query":{"query_string":{"query":"(beat.hostname:vanlabvpa18.cisco.com)"}}}}}'
No handler found for uri [/filebeat-/_query] and method [DELETE]

Both seem to indicate that there is no delete and query handler on filebeat entries.
Note that I can completely wipe out filebeat indices with:
curl -XDELETE 'localhost:9200/filebeat-*?pretty'
And as noted above, I can GET and query filebeat entries; however, combining the 2 doesn't seem to be possible.

( Kopf seems to be deprecated in favour of cerebro. Will look into it.)
Cheers,

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.