How to get the Key

(Juan Andres Ramirez) #1

Hello Guys,
I need to know how to get a specific key named source, it's inside the section _source.

First I executed command:

curl -XGET '' -d '{
"query": { "match": {"source": "SERVER-1"}},
"_source": ["source"]}'


"_index" : "graylog2_20",
      "_type" : "message",
      "_id" : "9d8cfb12-605f-11e5-943e-005056a9199b",
      "_score" : 3.0858476,

I need get the key source it's inside in "_source" to find every source with SERVER-1 and delete every key found.

Thank you.

(Magnus Bäck) #2

Are you looking for the delete by query API?

(Juan Andres Ramirez) #3

Hi Magnus,
Yes but I can't find the way to delete by query api. I tried with some command, for example:

curl -XGET '' -d '{
 "default_field" : "source",
 "query": "SERVER-1"



I can delete by ID but I have around 50G in data.....delete 1 at time by ID is crazy....

Thank you.

(Magnus Bäck) #4

The documentation I linked to contains examples that are very close to what you need so I'm not sure what's unclear. Your command uses -XGET but you need -XDELETE. If you correct that it might actually work. Well, except that there appears to be something wrong with the query itself since it matches zero documents.

(Juan Andres Ramirez) #5

Hello Magnus, Sorry my mistake,


curl -XDELETE '' -d '{
 "default_field" : "source",
 "query": "SERVER-1"


"_indices" : {
    "graylog2_0" : {
      "_shards" : {
        "total" : 1,
        "successful" : 0,
        "failed" : 1,
        "failures" : [ {
          "index" : "graylog2_0",
          "shard" : 0,
          "reason" : "QueryParsingException[[graylog2_0] request does not support [query_string]]"
        } ]

The index has enable write/read.
Any idea why the request doesn't support?.

Thank you.

(Magnus Bäck) #6


(Juan Andres Ramirez) #7

Its works!!, problem solved, Thank you Magnus.

(system) #8