I have an elasticsearch cluster that has an index called 'foo'. Within
foo, I have a ton of information that contains the string "Error in the RPC
receive". I need to do a search for any message that contains that string,
then delete anything.
I have seen several examples, but am not able to flush what I need. I am
using the Chrome extension Postman.
I have tried simple queries such as:
{
"match_phrase" : {
"message" : "Error in the RPC receive"
}
}
I have an elasticsearch cluster that has an index called 'foo'. Within
foo, I have a ton of information that contains the string "Error in the RPC
receive". I need to do a search for any message that contains that string,
then delete anything.
I have seen several examples, but am not able to flush what I need. I am
using the Chrome extension Postman.
I have tried simple queries such as:
{
"match_phrase" : {
"message" : "Error in the RPC receive"
}
}
I haven't gotten any real results to share with what I've done. I'm still
learning API calls. But what I was using as a search parameter was this:
curl -XPOST 'http://192.168.1.72:9200/_search?1=tag:message'
Here is an example of the raw json message:
{"message":"[ warning] [vmusr:vmusr] Error in the RPC receive loop:
RpcIn: Unable to
send.\n","@version":"1","@timestamp":"2015-05-06T05:22:45.000Z","host":"192.168.1.38:64173","type":"windowsEventLog","logType":"windowsEventLog","EventTime":"2015-05-06
00:22:45","Hostname":"server.local","Keywords":36028797018963970,"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1000,"SourceName":"VMware
Tools","Task":0,"RecordNumber":10516558,"ProcessID":0,"ThreadID":0,"Channel":"Application","Domain":"REALTRUCK","AccountName":"User","UserID":"User","AccountType":"User","Opcode":"Info","EventReceivedTime":1430889766,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","receivedAt":"2015-05-06
05:22:46 UTC"}
My intended goal is to search the message for the string "Error in the RPC
receive loop", and if the entry contains this text string, delete the
entry.
Then it definitely sounds like delete_by_query is your friend here. Follow
the link I sent earlier. If it not what you want then come back and tell
us why.
I haven't gotten any real results to share with what I've done. I'm still
learning API calls. But what I was using as a search parameter was this:
curl -XPOST 'http://192.168.1.72:9200/_search?1=tag:message'
Here is an example of the raw json message:
{"message":"[ warning] [vmusr:vmusr] Error in the RPC receive loop:
RpcIn: Unable to
send.\n","@version":"1","@timestamp":"2015-05-06T05:22:45.000Z","host":"
192.168.1.38:64173","type":"windowsEventLog","logType":"windowsEventLog","EventTime":"2015-05-06
00:22:45","Hostname":"server.local","Keywords":36028797018963970,"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1000,"SourceName":"VMware
Tools","Task":0,"RecordNumber":10516558,"ProcessID":0,"ThreadID":0,"Channel":"Application","Domain":"REALTRUCK","AccountName":"User","UserID":"User","AccountType":"User","Opcode":"Info","EventReceivedTime":1430889766,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","receivedAt":"2015-05-06
05:22:46 UTC"}
My intended goal is to search the message for the string "Error in the RPC
receive loop", and if the entry contains this text string, delete the
entry.
When I switch this to this command (curl XDELETE
'httpd://192.168.1.72:9200/logstash-2015.05.01/_search?q=message:'Error in
the RPC receive''), The other node in the cluster has an issue:
{
"error": "RemoteTransportException[[es-logstash-n2][inet[/192.168.1.80:9301]][indices:admin/mapping/delete]]; nested: TypeMissingException[[_all] type[[_search]] missing: No index has the type.]; ",
"status": 404
}
On Friday, May 8, 2015 at 9:38:31 AM UTC-5, Allan Mitchell wrote:
Hi
Then it definitely sounds like delete_by_query is your friend here.
Follow the link I sent earlier. If it not what you want then come back and
tell us why.
I haven't gotten any real results to share with what I've done. I'm
still learning API calls. But what I was using as a search parameter was
this: curl -XPOST 'http://192.168.1.72:9200/_search?1=tag:message'
Here is an example of the raw json message:
{"message":"[ warning] [vmusr:vmusr] Error in the RPC receive loop:
RpcIn: Unable to
send.\n","@version":"1","@timestamp":"2015-05-06T05:22:45.000Z","host":"
192.168.1.38:64173","type":"windowsEventLog","logType":"windowsEventLog","EventTime":"2015-05-06
00:22:45","Hostname":"server.local","Keywords":36028797018963970,"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1000,"SourceName":"VMware
Tools","Task":0,"RecordNumber":10516558,"ProcessID":0,"ThreadID":0,"Channel":"Application","Domain":"REALTRUCK","AccountName":"User","UserID":"User","AccountType":"User","Opcode":"Info","EventReceivedTime":1430889766,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","receivedAt":"2015-05-06
05:22:46 UTC"}
My intended goal is to search the message for the string "Error in the
RPC receive loop", and if the entry contains this text string, delete the
entry.
When I switch this to this command (curl XDELETE 'httpd://
192.168.1.72:9200/logstash-2015.05.01/_search?q=message:'Error in the RPC
receive''), The other node in the cluster has an issue:
{
"error": "RemoteTransportException[[es-logstash-n2][inet[/192.168.1.80:9301]][indices:admin/mapping/delete]]; nested: TypeMissingException[[_all] type[[_search]] missing: No index has the type.]; ",
"status": 404
}
On Friday, May 8, 2015 at 9:38:31 AM UTC-5, Allan Mitchell wrote:
Hi
Then it definitely sounds like delete_by_query is your friend here.
Follow the link I sent earlier. If it not what you want then come back and
tell us why.
I haven't gotten any real results to share with what I've done. I'm
still learning API calls. But what I was using as a search parameter was
this: curl -XPOST 'http://192.168.1.72:9200/_search?1=tag:message'
Here is an example of the raw json message:
{"message":"[ warning] [vmusr:vmusr] Error in the RPC receive loop:
RpcIn: Unable to
send.\n","@version":"1","@timestamp":"2015-05-06T05:22:45.000Z","host":"
192.168.1.38:64173","type":"windowsEventLog","logType":"windowsEventLog","EventTime":"2015-05-06
00:22:45","Hostname":"server.local","Keywords":36028797018963970,"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1000,"SourceName":"VMware
Tools","Task":0,"RecordNumber":10516558,"ProcessID":0,"ThreadID":0,"Channel":"Application","Domain":"REALTRUCK","AccountName":"User","UserID":"User","AccountType":"User","Opcode":"Info","EventReceivedTime":1430889766,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","receivedAt":"2015-05-06
05:22:46 UTC"}
My intended goal is to search the message for the string "Error in the
RPC receive loop", and if the entry contains this text string, delete the
entry.
When I switch this to this command (curl XDELETE 'httpd://
192.168.1.72:9200/logstash-2015.05.01/_search?q=message:'Error in the
RPC receive''), The other node in the cluster has an issue:
{
"error": "RemoteTransportException[[es-logstash-n2][inet[/192.168.1.80:9301]][indices:admin/mapping/delete]]; nested: TypeMissingException[[_all] type[[_search]] missing: No index has the type.]; ",
"status": 404
}
On Friday, May 8, 2015 at 9:38:31 AM UTC-5, Allan Mitchell wrote:
Hi
Then it definitely sounds like delete_by_query is your friend here.
Follow the link I sent earlier. If it not what you want then come back and
tell us why.
I haven't gotten any real results to share with what I've done. I'm
still learning API calls. But what I was using as a search parameter was
this: curl -XPOST 'http://192.168.1.72:9200/_search?1=tag:message'
Here is an example of the raw json message:
{"message":"[ warning] [vmusr:vmusr] Error in the RPC receive loop:
RpcIn: Unable to
send.\n","@version":"1","@timestamp":"2015-05-06T05:22:45.000Z","host":"
192.168.1.38:64173","type":"windowsEventLog","logType":"windowsEventLog","EventTime":"2015-05-06
00:22:45","Hostname":"server.local","Keywords":36028797018963970,"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1000,"SourceName":"VMware
Tools","Task":0,"RecordNumber":10516558,"ProcessID":0,"ThreadID":0,"Channel":"Application","Domain":"REALTRUCK","AccountName":"User","UserID":"User","AccountType":"User","Opcode":"Info","EventReceivedTime":1430889766,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","receivedAt":"2015-05-06
05:22:46 UTC"}
My intended goal is to search the message for the string "Error in the
RPC receive loop", and if the entry contains this text string, delete the
entry.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.