How to get the Key


(Juan Andres Ramirez) #1

Hello Guys,
I need to know how to get a specific key named source, it's inside the section _source.

First I executed command:

curl -XGET 'http://10.101.81.199:9200/graylog2_20/_search?pretty' -d '{
"query": { "match": {"source": "SERVER-1"}},
"_source": ["source"]}'

Output:

"_index" : "graylog2_20",
      "_type" : "message",
      "_id" : "9d8cfb12-605f-11e5-943e-005056a9199b",
      "_score" : 3.0858476,
      "_source":{"**source":"SERVER-1**"}

I need get the key source it's inside in "_source" to find every source with SERVER-1 and delete every key found.

Thank you.


(Magnus Bäck) #2

Are you looking for the delete by query API?


(Juan Andres Ramirez) #3

Hi Magnus,
Yes but I can't find the way to delete by query api. I tried with some command, for example:

curl -XGET 'http://10.101.81.199:9200/graylog2_20/message/_query' -d '{
 "query_string":{
 "default_field" : "source",
 "query": "SERVER-1"
 }
 }'

OUTPUT:

 {"_index":"graylog2_20","_type":"messages","_id":"_query","found":false}

I can delete by ID but I have around 50G in data.....delete 1 at time by ID is crazy....

Thank you.


(Magnus Bäck) #4

The documentation I linked to contains examples that are very close to what you need so I'm not sure what's unclear. Your command uses -XGET but you need -XDELETE. If you correct that it might actually work. Well, except that there appears to be something wrong with the query itself since it matches zero documents.


(Juan Andres Ramirez) #5

Hello Magnus, Sorry my mistake,

COMMAND:

curl -XDELETE 'http://10.101.81.199:9200/graylog2_0/message/_query?pretty' -d '{
 "query_string":{
 "default_field" : "source",
 "query": "SERVER-1"
 }
 }'

OUTPUT:

"_indices" : {
    "graylog2_0" : {
      "_shards" : {
        "total" : 1,
        "successful" : 0,
        "failed" : 1,
        "failures" : [ {
          "index" : "graylog2_0",
          "shard" : 0,
          "reason" : "QueryParsingException[[graylog2_0] request does not support [query_string]]"
        } ]

The index has enable write/read.
Any idea why the request doesn't support?.

Thank you.


(Magnus Bäck) #6

See http://stackoverflow.com/a/32607578/414355.


(Juan Andres Ramirez) #7

Its works!!, problem solved, Thank you Magnus.


(system) #8