New to ES and Apache Logging: getting rid of ratty data

bdunbar · June 8, 2015, 6:34pm

I'm new to ES. We're test-piloting ELK 4 for webstats.

How do I get rid of ratty data?

Like this: I've got my 8 apache web servers sending access logs, I've got the log format looking good, GEOIP setup. I even have some basic stats on the Kibana Dashboard.

I've had this running for six days or so. I have even figured out that my servers were logging a ton of messages about their healthcheck, which was dirtying the stats, and have setup logstash to remove those.

But now I have a week, or so, of data that isn't right. I can explain, when I turn this over to the end user, that data from June 1 - June 6 is bad, pay no attention, but I'd prefer to work some magic and have ES take them away.

Is there an incantation for that? A doc I can read?

theuntergeek · June 8, 2015, 7:28pm

Do you need the indices still? I mean, is there other data in there that you still need?

Yes: A delete_by_query to delete everything of type "apache" (presuming you used Logstash to type individual inputs).

No: Use Elasticsearch Curator to delete indices older than n days.

bdunbar · June 8, 2015, 8:31pm

It's tempting to discard 'all' and start over again - I'll think about both.

Topic		Replies	Views
Delete old data Elasticsearch	7	9567	July 5, 2017
Delete logs in ElasticSearch after certain period Elasticsearch	27	104142	March 20, 2017
Deleted index directories still can data logs through kibana Elasticsearch	3	869	July 6, 2017
Removing data from Elasticsearch Elasticsearch	3	595	September 1, 2017
Delete host specific index data Elasticsearch	2	1747	July 6, 2017

New to ES and Apache Logging: getting rid of ratty data

Related topics