Hi,
I new in ELK. Our previous sysadmin installed and configured the elk server but he getting out of space...
I want to know if I can delete data from indices without reconfiguring the entire server or ELK?
Welcome to our community! 
You can use curl or Dev Tools to delete indices.
Don't delete them on the filesystem though as it'll cause issues. Only ever use the APIs.
Hi,
But how I do it? I new on this subject, and our kina a stopped working because out of space.
If you look at the second link, it has an example that you can copy as curl.
Hi,
But it`s delete the entire index.
I need to delete data from the index
Then you need to use delete by query, which is much more complex.
So if I use delete from indices, how I see the indices?
and how I see the data in the indices? I need to delete only old logs
You need to pass in the indices you want the query to run against. Use the _cat/indices?v endpoint to check that.
Once you have that you can craft a delete by query with a timerange in it to delete older events.
Hi ,
I run the command _cat/indices?v and found the indices I need to delete from him old data.
How now I run queries to find old data?
Ahh yikes, a single index for that is not really ideal. It looks like it was not correctly setup.
If you want to keep the last months worth of data, then use this;
GET _search
{
"query": {
"range": {
"timestamp": {
"gte": "now-30d/d"
}
}
}
}
To show that data, then use this to delete it;
POST /my-index-000001/_delete_by_query
{
"query": {
"range": {
"timestamp": {
"gte": "now-30d/d"
}
}
}
}
Where gte is set to 30 days ago, rounded up to the day (ie midnight).
Hi,
thanks for the answer.
the way you recommended i need to install some plugin?
Nope.
I would suggest you create a new topic to dive into your setup, it sounds like we can make your life a little easier by digging into your setup and making some changes 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.