Suppose i have thousands of log lines. Would deleting some of the log lines erase the data completely from disk space or does it just not display in search results and is still present in the disk?
Both. At first its just that the documents are marked as deleted. They are
later removed when the segment they live in is merged with another segment.
Updates are the same way.
Usually this works fine. If you have data that "rolls away" its usually
better to make an index per time period and then nuke the whole index.
There is a tradeoff between the number of indexes and the ease of deleting
the whole index. That is a balancing act that you have to experiment with.
Thanks! Will research more about it.
If you need some starting points for your research:
https://www.elastic.co/guide/en/elasticsearch/guide/current/time-based.html
https://www.elastic.co/guide/en/elasticsearch/guide/current/retiring-data.html
Thanks for the links!