Delete by source

Juan_Andres_Ramirez · October 1, 2015, 1:06pm

Hello Guys!,
I'm going to try delete documents from specific source, and I have the next struct:

"_index" : "graylog2_0",
"_type" : "message",
"_id" : "502a30a1-33a9-11e5-8a4c-005056a9199b",
"_score" : 1.0,
"_source":{ "request_time":"15:16:50","version":"1.1","SourceName":"IIS","sc-substatus":0,"source":"SERVER-NAME","streams":[]}

So I need delete every document or message or input with "source": "SERVER-NAME".
I tried with this command but I had error:

curl -XDELETE 'http://10.101.81.199:9200/graylog2_20/_search?source:SERVER-1'
{"error":"ClusterBlockException[blocked by: [FORBIDDEN/8/index write (api)];]","status":403}

Someone knows how to delete?.

Thank you.

Juan_Andres_Ramirez · October 1, 2015, 2:04pm

I tried by query, but I had error too:

# curl -XGET 'http://10.101.81.199:9200/graylog2_20/message/_query' -d '{
> "query_string":{
> "default_field" : "source",
> "query": "SERVER-1"
> }
> }'
{"_index":"graylog2_20","_type":"message","_id":"_query","found":false}

Thank you.

Juan_Andres_Ramirez · October 1, 2015, 5:47pm

I used the next command and the problems still there.

# curl -XDELETE 'http://10.101.81.199:9200/graylog2_0/_search?pretty' -d '{
"query": { "match": {"source": "SERVER-1"}},
"_source": ["source"]}'

And the output:

"error" : "TypeMissingException[[_all] type[[_search]] missing: No index has the type.]",
  "status" : 404

Thank you.