Delete data by beat.name

faulander · October 10, 2018, 1:59pm

Hi Guys,
Can you point me in the right direction when i want to delete data from a given hostname or beatname?

i tried:

POST metricbeat-6.4.0-2018.10.10/_delete_by_query
{
  "query": { 
    "match": {
      "term" : { "beat.name" : "Test"
      }
    }
  }
}

but it doesn't work. So simple question: How do i delete data by beat.name?

dadoonet · October 10, 2018, 2:11pm

What gives the following?

GET metricbeat-6.4.0-2018.10.10/_search
{
  "query": { 
    "match": {
      "term" : { "beat.name" : "Test"
      }
    }
  }
}

May be try with "beat.name" : "test" BTW. I guess it depends on the mapping for that field as you are using a Term query.

faulander · October 10, 2018, 2:16pm

Thank you David, GET doesn't find the data either.

What would be the preferred way to delete data shipped by MetricBeat? The Shippers all have unique names and (of course) hostnames.

dadoonet · October 10, 2018, 2:20pm

Depends on your mapping and your actual data. I guess Test was an example.

faulander · October 10, 2018, 2:23pm

yes, here is the exact data i am talking about:

2018-10-10%2016_22_21-Window

dadoonet · October 10, 2018, 2:24pm

It does not tell me anything about the mapping.
But here is a guess then. Try this:

GET metricbeat-6.4.0-2018.10.10/_search
{
  "query": { 
    "match": { "beat.name" : "Test" }
  }
}

faulander · October 10, 2018, 2:55pm

That works. Deleting still doesn't work though:
POST metricbeat-6.4.0-2018.10.10/_delete_by_query
{
"query": {
"match": { "beat.name" : "Test - Daimler - SAML" }
}
}

Output:
{
"took": 1,
"timed_out": false,
"total": 0,
"deleted": 0,
"batches": 0,
"version_conflicts": 0,
"noops": 0,
"retries": {
"bulk": 0,
"search": 0
},
"throttled_millis": 0,
"requests_per_second": -1,
"throttled_until_millis": 0,
"failures":
}

dadoonet · October 10, 2018, 3:07pm

In one case you searched for Test but then you deleted something else?

faulander · October 10, 2018, 3:32pm

Test was just an Example. Of course i tried the GET also with the „correct“ term - the same i tried with the Delete Statement

dadoonet · October 10, 2018, 3:57pm

If search gives back results, delete by query should work as well.

If not, please share the full commands you're passing to the system and both results.
And the mapping for your index.

faulander · October 11, 2018, 8:30am

Search:
GET metricbeat-6.4.0-2018.10.10/_search
{
"query": {
"match": { "beat.name" : "Test - Daimler - SAML" }
}
}
Response:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 0,
"max_score": null,
"hits": []
}
}
Delete:
POST metricbeat-6.4.0-2018.10.10/_delete_by_query
{
"query": {
"match": { "beat.name" : "Test - Daimler - SAML" }
}
}
Response:
{
"took": 0,
"timed_out": false,
"total": 0,
"deleted": 0,
"batches": 0,
"version_conflicts": 0,
"noops": 0,
"retries": {
"bulk": 0,
"search": 0
},
"throttled_millis": 0,
"requests_per_second": -1,
"throttled_until_millis": 0,
"failures": []
}

dadoonet · October 11, 2018, 9:42am

so the search gave back 0 result.
Why would delete by query give another result?

faulander · October 11, 2018, 12:03pm

David, i am an idiot. Sorry, topic can be closed.

system · November 8, 2018, 12:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.