I haven't gotten any real results to share with what I've done. I'm still learning API calls. But what I was using as a search parameter was this: curl -XPOST 'http://192.168.1.72:9200/_search?1=tag:message'
Here is an example of the raw json message:
{"message":"[ warning] [vmusr:vmusr] Error in the RPC receive loop: RpcIn: Unable to send.\n","@version":"1","@timestamp":"2015-05-06T05:22:45.000Z","host":"192.168.1.38:64173","type":"windowsEventLog","logType":"windowsEventLog","EventTime":"2015-05-06 00:22:45","Hostname":"server.local","Keywords":36028797018963970,"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1000,"SourceName":"VMware Tools","Task":0,"RecordNumber":10516558,"ProcessID":0,"ThreadID":0,"Channel":"Application","Domain":"REALTRUCK","AccountName":"User","UserID":"User","AccountType":"User","Opcode":"Info","EventReceivedTime":1430889766,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","receivedAt":"2015-05-06 05:22:46 UTC"}
My intended goal is to search the message for the string "Error in the RPC receive loop", and if the entry contains this text string, delete the entry.