Delete the document in elasticsearch

Jay_Dabhi · November 20, 2017, 12:29pm

I want to delete the document in elasticserach by timestamp and one of the custom field "cu_hostname".
I want to remove all the documents which are in the specific time stamp which have the value "cu_hostname=abc"

I have written a query for timestamp as below:
POST filebeat-perf-1/_delete_by_query
{
"query":{
"range": {
"@timestamp": {
"gte": "1510511400000",
"lte": "1510597799000"
}
}
}
}
and deleting the custom field:
curl -XPOST '10.193.104.42:9200/filebeat-perf-1/_delete_by_query?conflicts=proceed&pretty' -H 'Content-Type: application/json' -d'
{
"query": {
"wildcard": {
"cu_hostname": "abc"
}
}
}

How to combine both this query?

abdon · November 22, 2017, 10:36pm

To combine queries you can use the bool query. To delete all documents that match both queries, you can stick those queries in a must clause:

{
  "query": {
    "bool": {
      "must": [
        {
          "query": {
            "range": {
              "@timestamp": {
                "gte": "1510511400000",
                "lte": "1510597799000"
              }
            }
          }
        },
        {
          "query": {
            "wildcard": {
              "cu_hostname": "abc"
            }
          }
        }
      ]
    }
  }
}

To delete documents that match either one of the queries (not necessarily both, but at least one), you can stick the queries in a should clause:

{
  "query": {
    "bool": {
      "should": [
        {
          "query": {
            "range": {
              "@timestamp": {
                "gte": "1510511400000",
                "lte": "1510597799000"
              }
            }
          }
        },
        {
          "query": {
            "wildcard": {
              "cu_hostname": "abc"
            }
          }
        }
      ]
    }
  }
}

system · December 20, 2017, 10:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.