Elasticsearch: Delete by source

Uwais_Ibrahim · June 25, 2018, 10:08am

Hi,

I need to delete hits from elasticsearch for a specefic source file. I tried below curl commands. Nothing worked instead delete all contents from elastic search. Please help to make it work.

curl -XPOST "localhost:9200/filebeat-*/_delete_by_query?pretty" -H 'Content-Type: application/json' -d' { "query": { "match": { "source": "/path/to/filename.csv" } } }'
curl -XPOST "http://localhost:9200/filebeat-*/_delete_by_query?_source='/path/to/filename.csv'" -H 'Content-Type: application/json' -d' { "query": { "match_all": {} } }'

Thanks,

polyfractal · June 26, 2018, 7:00pm

How is the "source" field mapped? If it's a text field, it'll be analyzed and you may be running into issues due to analysis (e.g. /path/to/filename.csv could be tokenized into [path, to, filename, csv] and matching many documents).

This is just incorrect, and will delete all your data. You shouldn't specify the _source in the URL.

As a tip, you can run the DBQ query as a regular search first, to make sure it matches the correct documents before deleting.

system · July 24, 2018, 7:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.