How to view docs.deleted data

KrishnaCh · September 29, 2022, 1:48pm

Hi All,
In my elastic cluster, I see there are some records in docs.deleted for some of the indices, and I am not sure how to find out who deleted the docs?
My 3 node elastic cluster version is 7.16.1 and it is Not an enterprise version, and we are using a free opensource version.

I tried enabling xpack.security.audit.enabled in elastic config on all nodes and restarted cluster, and manually deleted records to check if its getting logged, but its not writing anything in the audit log file.

Is the auditing feature is available ONLY on the enterprise version?

Can anyone please help me how to find out the docs.deleted data?

Christian_Dahlqvist · September 29, 2022, 2:01pm

The audit log feature requires a platinum or higher license.

That is not possible. Be aware that updates show up as a index and a delete, so it is not becessary that any documents have been deleted.

KrishnaCh · September 29, 2022, 2:29pm

Thank you Christian for your response.

Okay. Noted.

Okay, so do you mean that if same document when indexed again, will result as updates, and it will do a delete and index That document again? Is my understanding correct?

system · October 27, 2022, 2:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Docs.deleted docs are missing after reindexing Elasticsearch	2	380	March 8, 2021
How to monitor cause of deletion of documents in index? Elasticsearch	4	297	November 16, 2021
Detecting deletes Elasticsearch elastic-stack-security	4	1517	December 15, 2020
Tracking document updates and deletions with Audit Logging Elasticsearch	0	47	July 11, 2024
Elasticsearch documents deleted automatically Elasticsearch	12	5416	July 5, 2017

How to view docs.deleted data

Related topics