Hey ELKers,
We're running logging through Elastic but weren't very specific on our log indexes and had Elastic Agent pump all the logs in logs-kubernetes.container_logs. Most of these logs have by now rotated through to the frozen tier and are stored as a searchable snapshot.
I don't want to delete the full snapshots for these logs but retain certain documents. I've tried (1) restoring the snapshot and doing a DeleteByQuery, (2) moving the index back to warm / hot using the Move to lifecycle step API, (3) reindexing the documents from the snapshot, deleting the snapshot.
Probably the latter is the way to go, but I can't seem to get it to work using the docs - as these don't really mention snapshots or frozen indices (frozen being ILM-tier frozen, not the deprecated frozen index).
What's a good course of action here?
Regards,
Max.