Delete by query?

Hello.

I'm using delete_by_query to remove old data from all index.
Looks like that:

POST */_delete_by_query
{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "lt": "now-180d"
            }
          }
        }
      ]
    }
  }
}

It works perfectly, and the answer I get is:

{
  "took" : 13,
  "timed_out" : false,
  "total" : 0,
  "deleted" : 0,
  "batches" : 0,
  "version_conflicts" : 0,
  "noops" : 0,
  "retries" : {
    "bulk" : 0,
    "search" : 0
  },
  "throttled_millis" : 0,
  "requests_per_second" : -1.0,
  "throttled_until_millis" : 0,
  "failures" : [ ]
}

Now, what I need is filter this data deleting all index where a field have a special name.
For example: Delete last 180 days from all index than their fields agent.hostname are box_1.

I'm trying this:

POST */_delete_by_query
{
  "query": {
    "match":{
      "agent.hostname": "box_1"
    },
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "lt": "now-180d"
            }
          }
        }
      ]
    }
  }
}

I need to match the field agent.hostname in my delete_by_query

Any suggestions?

POST */_delete_by_query
{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "lt": "now-180d"
            }
          }
        },
        {
          "term": {
            "agent.hostname": "box_1"
          }
        }
      ]
    }
  }
}

Thank you so much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.