Hi,
I've got ~1.5mio entries in elasticsearch I need to delete/remove, because they caused some grokparseerrors.
Luckily they all have a tag (_rubyexception and/or _grokparsefailure) and I can do a nice kibana search to find the questionable entries. I also have a custom field for this (erroneousMessage)
The following kibana searches work for me:
tags:_rubyexception
or
_exists_:erroneousMessage
But, when I try searches using the search API (_search or _count) I have no luck (no hits).
Search for tags:
{
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "tags:_rubyexception",
"analyze_wildcard": true
}
}
],
"must_not": []
}
}
}
Search for field:
{
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "_exists_:erroneousMessage",
"analyze_wildcard": true
}
}
],
"must_not": []
}
}
}
(The queries are stripped down versions for the kibana "requests" you can display.)
I did some research and found it may be related to the fact that "tags" is "analyzed" and "erroneousMessage" is not a field included in the mapping (I create this on the fly when some error happens during the logstash parsing) - I still wonder:
- Why am I successful with my search in kibana but not with the API? What is doing Kibana differently? I always thought of it as a fancy frontend for Elasticsearch but it seems it's "requests" are faked to some degree.
- Is there any way for me to successfully query the results with my existing indexes/mapping so I can delete them via _delete_by_query API?