Hello,
I am removing messages from nonprod kubernetes namespaces using next query
--query=app-*/_delete_by_query -XPOST -d'{ "query": {"bool": {"must": [{"regexp": {"kubernetes.namespace_name": {"value": ".*nonprod"}}},{"range": {"@timestamp": {"gte": "now-2d/d","lt": "now-1d/d"}}}]}}}'
I am supposed to remove logs from day after yesterday, so keep just yesterday's logs
It is removing fine from single index created during in that day, but in case if it were more then one created during that date, after command completes logs to be removed still remains in the second index.
Example
green open app-000310 3 1 32285184 14312628 53.8gb 2022-02-25T18:45:10.117Z
green open app-000311 3 1 29490388 7776937 43gb 2022-02-26T11:00:17.009Z
green open app-000312 3 1 30822018 12562197 50.9gb 2022-02-27T03:15:07.971Z
green open app-000313 3 1 60173254 11155099 82.9gb 2022-02-27T19:15:16.120Z
green open app-000314 3 1 72956747 3000 85gb 2022-02-28T11:30:15.957Z
green open app-000315 3 1 39312439 0 52.6gb 2022-03-01T03:45:15.173Z
and running query, let say on date 1.03 supposing to clean indecies from date 27.02 , e.g app-000312 app-000313.
but logs still remain in app-000313 after command completed.
{"took":9633584,"timed_out":false,"total":46032215,"deleted":46032215,"batches":46033,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1.0,"throttled_until_millis":0,"failures":[]}
Any tip, suggest where to look pls ?