Delete_by_query increases the storage size

Billz1026 · May 24, 2021, 9:50am

Hi All,

I have used following "delete_by_query" to delete large number of documents from an index of my ES.

POST /winlogbeat-7.12.0-2021.05.20-000029/_delete_by_query
{
  "query": {
    "match": {
      "event.code": "5157"
    }
  }
}

The first thing I noticed is, the delete operation is taking long time to delete the documents.

Apart from that I have noticed, the size of the index is increasing though the document count reduces.
The intention of the delete operation was to free the storage by removing less important logs.
Can someone please let me know why this is happening and guide me to free the space correctly.

Thanks
Billz1026

Christian_Dahlqvist · May 24, 2021, 10:05am

Elasticsearch shards use immutable segments for storing data so when you delete a document you create a tombstone record, but the documents are not physically deleted until the underlying segments are merged.

Billz1026 · May 24, 2021, 10:16am

Hi Christian,

Thanks for the reply. after bit reading I found that I have to run "forcemerge" to free the space. Can you please let me know whether I am in the correct path?

BR,
Billz1026

Christian_Dahlqvist · May 24, 2021, 10:21am

Yes that is correct.

Billz1026 · May 24, 2021, 10:22am

Thanks Christian

system · June 21, 2021, 10:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Delete_by_query & _forcemerge doesn't free disk space Elasticsearch	11	2856	May 23, 2018
Free disk space monitoring after deleting records Elasticsearch	6	19131	September 27, 2018
Delete document from elasticsearch Elasticsearch	4	319	February 9, 2021
_delete_by_queryで空いたストレージを利用したい日本語による質問・議論はこちら	3	1206	November 16, 2020
Delete documents by query and disk storage Elasticsearch	2	494	January 2, 2020

Delete_by_query increases the storage size

Related topics