My Old, Bad, Data Came Back

Installed ES, the logstash and Kibana bits. Ran some data into it, looked good.

Deleted the indices because: did not want the old, bad, data in there.

Deleted ES because of an issue with upgrading that may have caused the indices to go red.

Installed ES. Spent a few hours loading up good data from log.

Restarted ES. My bad data came back. The good stuff is no longer there. What happened?

I vaugley recall reading a stackoverflow entry on this, but can't find it.

Using CURL to remove indices doesn't remove it from disk?

Can I get my good data back?

How can I make the ratty stuff actually go away?

Edit. I had a moment to circle back to this. Thought about it. Did a search on disk and found this (sample)

./usr/share/elasticsearch-1.6.0/data/muostats/nodes/0/indices/logstash-2014.07.02

./var/lib/elasticsearch/elasticsearch/nodes/0/indices/logstash-2014.03.06

First line is the new indices. Second line is the old data, from the first install.

I guess that I can delete the data from disk restart elasticsearch and .. things will be okay?

By default, with a deb/rpm install, ES keeps data in /var/lib/elasticsearch/.

Did you change path.data?
Do the old indices show up in _cat/indices?

I found out where I went wrong.

I am sure (but less sure than I was on Friday) that I executed yum remove elasticsearch BUT it's still there in /var/lib/elasticsearch.

Meanwhile I downloaded the package from the Download Elasticsearch | Elastic parked that in /usr/share/elasticsearch-1.60.0, created a symlink to /usr/share/elasticsearch ...

And what I later did was use history to manually start es but it was pointing to the wrong binary and so grabbed the wrong indices.

I've started it correctly, and have my correct indices loaded in _cat/indices now.

This is a great example of why to use the repositories and then just yum upgrade :slight_smile:

I had good reasons for doing it that way. I'd just like to remember what they were!