How to delete an index from logstash output


(Efrain Gonzalez) #1

Hi,

From logstash, if there is a specific event, I need to delete all documents in an index or delete the entire index (both options works for me, so the more efficient the better)

I don't find a way to do that, some could give some hints?

Thanks


(Christian Dahlqvist) #2

I do not think there is. What would be the use case for this?


(Efrain Gonzalez) #3

Hi Christian

I'm receiving events (bgp updates (routes)) so I'm keeping the most recent version each route on my index (for latter analysis).

If for any reason if receive the bgp session down event, I need to delete all existing entries of my index.

Regards


(Christian Dahlqvist) #4

If you have a unique ID in your documents or can create one based on the data in it, you can specify this as the document_id in the Elasticsearch output plugin. As long as you are not using time-based indices for these documents, this will result in the existing document getting updated for each new document.

Sometime it may make sense to store all the raw documents in a time-based index to keep track of the changes, but also keep the latest state in a non time-based index. You can then choose index based on whether you are looking for history or the current state.


(Efrain Gonzalez) #5

I'm trying to do exactly that.... (having a 'main index' time-based), and another one not using time-based indices (but using an unique document_id instead)

The index that I would like to delete (in case if a specific event) is the 'not time-based index'.


(Christian Dahlqvist) #6

Why would you delete it? What criteria would you use to do so?

If it is triggered by a single event, you might be able to achieve it using a http output plugin, but I have not tried it.


(Efrain Gonzalez) #7

When this event 'bgp session down' is received it means all routes being advertised so far, are not valid any more.

Then after the bgp session up , it will arrive new events with new updates that will repopulate the recently deleted/empty index.

I'll try the http output to see how it goes


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.