Delete All ES 2.4.1 Data for a Given filebeat Host

Nastooh · May 10, 2017, 8:47pm

Hi
Trying to clear all data belonging to a particular beat host. Started with the following query:
curl -XGET 'localhost:9200/filebeat-2017.05.10/_search?pretty' -H 'Content-Type: application/json' -d '{"query":{"filtered":{"query":{"query_string":{"query":"(beat.hostname:$BEAT_HOSTNAME)"}}}}}', which returns the desired results. I was hoping after installing delete-by-query, and replacing GET with DELETE the removal should take place. However, I get the following:
No handler found for uri [/filebeat-2017.05.10/_search?pretty] and method [DELETE]

(Probably, I am doing this wrong.) Any ideas as how to remove beat data for a given host?
Cheers,

anhlqn · May 11, 2017, 5:51am

Looks like you are using the wrong syntax for delete by query plugin. It should be _query instead of _search. Check out https://www.elastic.co/guide/en/elasticsearch/plugins/2.4/delete-by-query-usage.html

Nastooh · May 11, 2017, 3:47pm

Hi
Thank you for your reply. "_query" does not seem to be a valid option in 2.4.1:

GET:
curl -XGET 'localhost:9200/filebeat-2017.05.10/_query?pretty' -d '{"query":{"filtered":{"query":{"query_string":{"query":"($BEAT_HOSTNAME)"}}}}}'
{
"error" : {
"root_cause" : [ {
"type" : "illegal_argument_exception",
"reason" : "No feature for name [_query]"
} ],
"type" : "illegal_argument_exception",
"reason" : "No feature for name [_query]"
},
"status" : 400
}

DELETE:
curl -XDELETE 'localhost:9200/filebeat-2017.05.10/_query?pretty' -d '{"query":{"filtered":{"query":{"query_string":{"query":"($BEAT_HOSTNAME)"}}}}}'
No handler found for uri [/filebeat-2017.05.10/_query?pretty] and method [DELETE]

Cheers,

anhlqn · May 13, 2017, 6:41am

It worked fine for me on 2.4.1

DELETE test/_query
{
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "anh"
        }
      }
    }
  }
}

{
  "took": 201,
  "timed_out": false,
  "_indices": {
    "_all": {
      "found": 3,
      "deleted": 3,
      "missing": 0,
      "failed": 0
    },
    "test": {
      "found": 3,
      "deleted": 3,
      "missing": 0,
      "failed": 0
    }
  },
  "failures": [

  ]
}

Have you done this?

The plugin must be installed on every node in the cluster, and each node must be restarted after installation.

If yes, perhaps install the Kopf plugin GitHub - lmenezes/elasticsearch-kopf: web admin interface for elasticsearch and run the query from there.

Nastooh · May 15, 2017, 1:03am

Thank you for your reply. I am wondering if you have the opportunity to try the above on a filebeat server. I have tried 2 variations:
1- curl -XDELETE 'localhost:9200/filebeat-/_query' -H 'Content-Type: application/json' -d '{"query":{"filtered":{"query":{"query_string":{"query":"SomeHostName"}}}}}'
No handler found for uri [/filebeat-/_query] and method [DELETE]
2- curl -XDELETE 'localhost:9200/filebeat-/_query' -H 'Content-Type: application/json' -d '{"query":{"filtered":{"query":{"query_string":{"query":"(beat.hostname:vanlabvpa18.cisco.com)"}}}}}'
No handler found for uri [/filebeat-/_query] and method [DELETE]

Both seem to indicate that there is no delete and query handler on filebeat entries.
Note that I can completely wipe out filebeat indices with:
curl -XDELETE 'localhost:9200/filebeat-*?pretty'
And as noted above, I can GET and query filebeat entries; however, combining the 2 doesn't seem to be possible.

( Kopf seems to be deprecated in favour of cerebro. Will look into it.)
Cheers,

system · June 12, 2017, 1:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.