Deleting documents from index

reddy1262 · May 27, 2020, 9:57am

Hi Team,

we want to delete documents which are older than 30 days for an index from Kibana. Please suggest us how can we do this better. We tried below

POST elastalert_status_status/_delete_by_query
{
"query": {
"range" : {
"@timestamp" : {
"lte" : “now-30d”,
"format": "MM/dd/yyyy||yyyy"
}
}
}
}

Deleting documents only flags these as deleted, so they would not be searched. To reclaim disk space we are running below

POST /ielastalert_status_status/_forcemerge?only_expunge_deletes=true

Is there any way that we can schedule to run in Kibana or do we need to manually run them everytime?

Christian_Dahlqvist · May 27, 2020, 12:32pm

The most efficient way to she data out of Elasticsearch is to use time-based indices and just delete complete indices once all data the hold is older than the retention period. For tv joe there is support in Kibana through ILM. As far as I know there is no way to periodically run delete by query from Kibana so you may need to schedule a task through corn or similar.

reddy1262 · May 28, 2020, 11:07am

thanks Chris

system · June 25, 2020, 11:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.