Query deleted the entire events in Index

VijayKarthikeyan · December 28, 2016, 7:00am

Hi,

I have been running ELK for a while and during the course of learning, i have been exercising with some sample data stashed in Elasticsearch.

I used the below query once to delete a particular set of events in the Kibana Console.

POST logstash-2016.12.21/_delete_by_query
{
"query":{
"match":{ "path":"C:\Users\547213\elk\tutorialdata\vendor_sales\vendorsaleswithnewformats.LOG"
}
}
}

But this deleted entire events in the index instead of deleting the events with "path" matching up the phrase given above. Is it something wrong in the query?

dadoonet · December 28, 2016, 7:33am

If you are using the default analyzer for path field, I'd expect that.

Run a search before the delete and will have an idea of is going to be removed.

VijayKarthikeyan · January 2, 2017, 8:33am

but why would the select or delete takes entire index as i have given a search phrase with double quotes to search.

It should only pick the documents which matches with the search phrase, shouldn't it?

dadoonet · January 2, 2017, 8:55am

Have a look at the _analyze API and you will have a better understanding of what is indexed and what is searched.

In the case of the path field, I'd use a keyword field type probably.

Note that match query here is not a phrase query.

system · January 30, 2017, 8:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.