Deletion in ES getting 403

trying to delete from es using this query

POST /logstash-2020.06.17/_delete_by_query
{
  "query": {
    "match": {
      "tags": "AuditLog"
    }
  }
}

getting this error message

{
  "took": 62,
  "timed_out": false,
  "total": 547906,
  "deleted": 0,
  "batches": 1,
  "version_conflicts": 0,
  "noops": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "throttled_millis": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0,
  "failures": [
    {
      "index": "logstash-2020.06.17",
      "type": "_doc",
      "id": "hT_LwXIByjRlhR8LizfR",
      "cause": {
        "type": "cluster_block_exception",
        "reason": "index [logstash-2020.06.17] blocked by: [FORBIDDEN/8/index write (api)];"
      },
      "status": 403
    },
    {
      "index": "logstash-2020.06.17",
      "type": "_doc",
     "id": "p3vLwXIBOr71FS1tinPh",
      "cause": {
        "type": "cluster_block_exception",
        "reason": "index [logstash-2020.06.17] blocked by: [FORBIDDEN/8/index write (api)];"
      },
      "status": 403
    },

what could be the issue?

thanks in advance :slight_smile:

It looks like the index is set to block write operations. If you have a look at the index settings, there is probably a blocks setting causing the error:

GET logstash-2020.06.17/_settings?include_defaults=true

You can find out about the various index.blocks settings here: https://www.elastic.co/guide/en/elasticsearch/reference/current/index-modules.html

1 Like

@whatgeorgemade thanks for your reply.

i used this command to check setting,

GET /logstash-2020.06.17/_settings

output:

{
  "logstash-2020.06.17" : {
    "settings" : {
      "index" : {
        "lifecycle" : {
          "name" : "delete_after_91_days"
        },
        "number_of_shards" : "4",
        "blocks" : {
           "write" : "true"
         },
        "provided_name" : "logstash-2020.06.17",
        "creation_date" : "1592352002186",
        "number_of_replicas" : "1",
        "uuid" : "wk97Z-euRrKfmZvxdaVwDQ",
        "version" : {
          "created" : "7050299"
        }
      }
   }
  }
} 

how to deal with this? in order to delete old indexes do I need to changes the setting and if yes, how can I? one more thing, as this is our production, changes will not affect anything in a bad way, right????

You can use the index settings API to change that setting to false.

I can't answer about whether or not it will affect things in a bad way. It's your cluster, your data, and someone may have blocked writes for a good reason. Changing data in the index may cause cluster or business process problems.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.