How do I delete logstash data by query

bigfootxxl · May 24, 2015, 12:45pm

Hello. I have some hosts that I need to delete all the syslog data of. So I try the query:
curl -XGET 'http://log:9200/logstash-2015.05.23/_query' -d '{
"query": {
"filtered": {
"query": {
"bool": {
"should": [
{
"query_string": {
"query": "host:vm*"
}
}
]
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": 1420116612709,
"to": 1432468230716
}
}
}
]
}
}
}
}
}'

That gives me
"took" : 63,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 2365117,

etc. some output. So I figure it got something and then I replace the XGET by XDELETE but it gives me:
{"error":"ElasticsearchIllegalArgumentException[No feature for name [_query]]","status":400}

Sorry if this a stupid question but I'm completely new to this stuff. How do I delete all the data from hosts host:vm* ?

dadoonet · May 24, 2015, 2:33pm

On which version?

It should work fine: https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-delete-by-query.html

Are you really running that from the command line using curl?

bigfootxxl · May 25, 2015, 6:50am

yes from command line. I have vresion 1.4.4. but I have 1.4.5 available through yum. Or will I need 1.5+?
Secondly: would the the upgrade work if I just add the 1.5 yum repo (https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html) and give the yum upgrade command?

bigfootxxl · May 26, 2015, 8:39am

I did upgrade to latest 1.5.2 but this method still did not work.... but I got this working: https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-delete-by-query.html

and the key was not to use '*' in searches!