I would like to delete old event ID's which have been recorded with Winlogbeat. These are the Event ID's 4768, 4769 and 4770.
These are Kerberos authentications. The entries are very numerous.
Only records older than 3 months should be deleted.
How can I do this?
No one? 
Hello,
There are a couple of old posts about this, not sure if you checked the search on the forum.
To do what you want you need to use the Delete By Query API.
You would need to manually create a query to delete the events that match those IDs and are older than 3 months, you can check the documentation here.
Elastic can not do that automatically, only if you want to delete entire indices, for this you would need to use a Lifecycle Policy.
Hello Leandro
You're talking to someone from the Microsoft world, everything feels a bit simpler there - but at least significantly different 
I had a look at the page.
To create a delete command, I first need the correct index.
I used the _aliases curl command to display all the entries.
But how do I know which one is the right one?
D:\curl8.1.2_3\bin>curl --cacert c:\_Mon\e\config\certs\wxtask2p-idm-lan-local.crt -H "Authorization: Bearer AAEAAWVsYXN0...lBX09oZw" https://wxtask2p.idm.lan.local:9200/_aliases?pretty=true
{
".slo-observability.sli-v2" : {
"aliases" : { }
},
".reporting-2023-07-23" : {
"aliases" : { }
},
".kibana_security_session_1" : {
"aliases" : {
".kibana_security_session" : {
"is_hidden" : true
}
}
},
".internal.alerts-observability.slo.alerts-default-000001" : {
"aliases" : {
".alerts-observability.slo.alerts-default" : {
"is_write_index" : true
}
}
},
".items-default-000001" : {
"aliases" : {
".items-default" : {
"is_write_index" : true
}
}
},
".internal.alerts-observability.metrics.alerts-default-000001" : {
"aliases" : {
".alerts-observability.metrics.alerts-default" : {
"is_write_index" : true
}
}
},
".kibana-event-log-8.7.0-000007" : {
"aliases" : {
".kibana-event-log-8.7.0" : {
"is_write_index" : true,
"is_hidden" : true
}
}
},
".kibana-event-log-8.7.0-000006" : {
"aliases" : {
".kibana-event-log-8.7.0" : {
"is_write_index" : false,
"is_hidden" : true
}
}
},
".apm-custom-link" : {
"aliases" : { }
},
".kibana-event-log-8.7.0-000005" : {
"aliases" : {
".kibana-event-log-8.7.0" : {
"is_write_index" : false,
"is_hidden" : true
}
}
},
".kibana-event-log-8.7.0-000004" : {
"aliases" : {
".kibana-event-log-8.7.0" : {
"is_write_index" : false,
"is_hidden" : true
}
}
},
".reporting-2023-04-23" : {
"aliases" : { }
},
".kibana_alerting_cases_8.10.2_001" : {
"aliases" : {
".kibana_alerting_cases" : {
"is_hidden" : true
},
".kibana_alerting_cases_8.10.2" : {
"is_hidden" : true
}
}
},
".internal.alerts-stack.alerts-default-000001" : {
"aliases" : {
".alerts-stack.alerts-default" : {
"is_write_index" : true
}
}
},
".kibana_blob_storage" : {
"aliases" : { }
},
".internal.alerts-observability.uptime.alerts-default-000001" : {
"aliases" : {
".alerts-observability.uptime.alerts-default" : {
"is_write_index" : true
}
}
},
".apm-agent-configuration" : {
"aliases" : { }
},
".apm-source-map" : {
"aliases" : { }
},
".monitoring-kibana-7-2023.11.02" : {
"aliases" : { }
},
".monitoring-kibana-7-2023.11.03" : {
"aliases" : { }
},
".monitoring-kibana-7-2023.11.04" : {
"aliases" : { }
},
".kibana_task_manager_8.7.0_001" : {
"aliases" : {
".kibana_task_manager" : {
"is_hidden" : true
},
".kibana_task_manager_8.10.2" : {
"is_hidden" : true
}
}
},
".kibana-observability-ai-assistant-conversations-000001" : {
"aliases" : {
".kibana-observability-ai-assistant-conversations" : {
"is_write_index" : true
}
}
},
".reporting-2023-06-18" : {
"aliases" : { }
},
".kibana_8.10.2_001" : {
"aliases" : {
".kibana" : {
"is_hidden" : true
},
".kibana_8.10.2" : {
"is_hidden" : true
}
}
},
".fleet-files-endpoint-000001" : {
"aliases" : {
".fleet-files-endpoint" : {
"is_write_index" : true
}
}
},
".reporting-2023-06-11" : {
"aliases" : { }
},
".fleet-file-data-endpoint-000001" : {
"aliases" : {
".fleet-file-data-endpoint" : {
"is_write_index" : true
}
}
},
".metrics-endpoint.metadata_united_default" : {
"aliases" : { }
},
".reporting-2023-07-02" : {
"aliases" : { }
},
".internal.alerts-observability.apm.alerts-default-000001" : {
"aliases" : {
".alerts-observability.apm.alerts-default" : {
"is_write_index" : true
}
}
},
".kibana_8.7.0_001" : {
"aliases" : {
".kibana_8.7.0" : {
"is_hidden" : true
}
}
},
".reporting-2023-04-09" : {
"aliases" : { }
},
".slo-observability.summary-v2.temp" : {
"aliases" : { }
},
".elastic-analytics-collections-v1" : {
"aliases" : {
".elastic-analytics-collections" : {
"is_write_index" : true,
"is_hidden" : true
}
}
},
".monitoring-kibana-7-2023.11.05" : {
"aliases" : { }
},
".monitoring-kibana-7-2023.11.06" : {
"aliases" : { }
},
".monitoring-kibana-7-2023.11.07" : {
"aliases" : { }
},
".reporting-2023-06-25" : {
"aliases" : { }
},
".monitoring-kibana-7-2023.11.08" : {
"aliases" : { }
},
".internal.alerts-security.alerts-default-000001" : {
"aliases" : {
".alerts-security.alerts-default" : {
"is_write_index" : true
},
".siem-signals-default" : {
"is_write_index" : false
}
}
},
".monitoring-es-7-2023.11.07" : {
"aliases" : { }
},
".monitoring-es-7-2023.11.08" : {
"aliases" : { }
},
".kibana_analytics_8.10.2_001" : {
"aliases" : {
".kibana_analytics" : {
"is_hidden" : true
},
".kibana_analytics_8.10.2" : {
"is_hidden" : true
}
}
},
".monitoring-es-7-2023.11.05" : {
"aliases" : { }
},
".transform-notifications-000002" : {
"aliases" : {
".transform-notifications-read" : {
"is_hidden" : true
}
}
},
".monitoring-es-7-2023.11.06" : {
"aliases" : { }
},
".monitoring-es-7-2023.11.03" : {
"aliases" : { }
},
".monitoring-es-7-2023.11.04" : {
"aliases" : { }
},
".monitoring-es-7-2023.11.02" : {
"aliases" : { }
},
".internal.alerts-observability.logs.alerts-default-000001" : {
"aliases" : {
".alerts-observability.logs.alerts-default" : {
"is_write_index" : true
}
}
},
".lists-default-000001" : {
"aliases" : {
".lists-default" : {
"is_write_index" : true
}
}
},
".slo-observability.summary-v2" : {
"aliases" : { }
},
"metrics-endpoint.metadata_current_default" : {
"aliases" : { }
},
".kibana_security_solution_8.10.2_001" : {
"aliases" : {
".kibana_security_solution" : {
"is_hidden" : true
},
".kibana_security_solution_8.10.2" : {
"is_hidden" : true
}
}
},
".reporting-2023-04-16" : {
"aliases" : { }
},
".kibana_ingest_8.10.2_001" : {
"aliases" : {
".kibana_ingest" : {
"is_hidden" : true
},
".kibana_ingest_8.10.2" : {
"is_hidden" : true
}
}
},
".kibana-observability-ai-assistant-kb-000001" : {
"aliases" : {
".kibana-observability-ai-assistant-kb" : {
"is_write_index" : true
}
}
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.