Using the lists api you can easily import items to a list.
Now consider this imported source list have been updated and I want to reflect that in elastic. I would love it if I could just simple re-import it with some kind of overwrite of the current items like PUT/PATCH for other endpoint, but as I understand the documentation I can not simply import it again, since that will append to the list and duplicate the items. Having used the list in exceptions etc I can not either remove the list and recreate it. I guess the list items must be purged and then reimported. Neither there seams to be a way to remove all current list items in one go, I must iterate them? Alternative way would be to in an external script diff the updated source and what is currently in the list in elastic and execute specific create/delete list items accordingly. Is there some other smarter way to do this that I have missed? Thanks.
Hi @maan,
Welcome! I also don't see a way to override the existing items. There is a way to delete an individual item, or alternatively you could delete the list container and then recreate the container and import the new items. But I see your concern as you're already using the list that it could invalidate your exceptions.
Are you looking to update existing items? There is an update API that is an alternative for updating individual items. Otherwise deletion of individual items and then adding the new ones is also an option looking at the API.
Hope that helps!
Hi @maan
Welcome to the community!
Neither there seams to be a way to remove all current list items in one go, I must iterate them?
One possible way is to use Elasticsearch query through Kibana dev console
You can use _delete_by_query API to find and delete all items of the list.
For example, the following query, would delete all items of list value_list-test-1.txt, created in t1 space
POST .items-t1/_delete_by_query
{
"query": {
"terms": {
"list_id": [
"value_list-test-1.txt"
]
}
}
}
list_id parameter is the list id of the list container, it can be retrieved from API call: Get list container | Elastic Security Solution [8.12] | Elastic
.items-t1 is index, where list container is created. The second part of the index name is Kibana space name. In my example, it is t1 space. So you would need to put there name of the space where list container was created. If it in default space, index name will be .items-default
Hope this can be helpful.
Great, thank you. At least that(delete_by_query) is a much quicker and more simple way to purge all items from the list. Perfectly clear explanation, I do get it.
Ah, as you said, but I initially missed, this is a elasticsearch api thing and I need to do this via the kibana api's. So even if it is stil a good tip it is unfortunately not my solution.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.