Hello,
I'm opening this old treath because I have the same problem.
I used the same command to delete every message with source as target.
For example:
curl -XGET 'http://10.101.81.199:9200/graylog2_20/message/_search?pretty'
My output is :
{
"_index" : "graylog2_20",
"_type" : "message",
"_id" : "9d8cd406-605f-11e5-943e-005056a9199b",
"_score" : 1.0,
"_source":{"gl2_source_node":"297d10be-8e9e-4021-9ab6-deedd27202ce",
"s-ip":"10.101.250.209","time-taken":73,"csUser-Agent":
"Jakarta+Commons-HttpClient/3.1","EventReceivedTime":"2015-09-21 08:54:28",
"date":"2015-09-21","request_time":"12:54:24","version":"1.1","s-port":443,
"timestamp":"2015-09-21 12:54:28.000","SourceModuleName":"iis","time":
"12:54:24","level":6,"_id":"9d8cd406-605f-11e5-943e-005056a9199b",
"gl2_source_input":"5585b15184ae398b735b8d36","c-ip":"64.145.75.146",
"SourceModuleType":"im_file","full_message":"2015-09-21 12:54:24
10.101.250.209 GET /p1/clients/6035757/populationData
Jakarta+Commons-HttpClient/3.1 200 0 0 73","cs-uri-stem":
"/p1/clients/6035757/populationData","sc-win32-status":0,"cs-method":"GET",
"message":"2015-09-21 12:54:24 10.101.250.209 GET /p1/clients/6035757/popul"
,"sc-status":"200","SourceName":"IIS","sc-substatus":0,*"source":"SERVER-1"*
,"streams":[]}
So I want to delete every input with source: SERVER-1 in index graylog2_20.
I tried with the following command but the output is null, I'm testing with
XGET.
# curl -XGET 'http://10.101.81.199:9200/graylog2_20/messages/_query' -d '{
"query_string": {
"default_field" : "source",
"query": "SERVER-1"}}'
Output:
{"_index":"graylog2_20","_type":"messages","_id":"_query","found":false}
someone knows how to Delete by source?.
Thank you.
On Thursday, January 16, 2014 at 6:26:40 AM UTC-3, Jean-Luc Bassereau wrote:
>
> That looks something like this for me :
>
> curl -XDELETE 'http://127.0.0.1:9200/graylog2_*/message/_query' -d ' {
> "query_string" : { "default_field" : "host", "query" : "HOSTNAME" } }'
>
>
> 2014/1/16 Kay Röpke <kro...@gmail.com <javascript:>>
>
>> Hi!
>>
>> You mean the ones listed on the "Sources" page?
>> Those are calculated from the messages in the current indices. Based on
>> your retention settings the hosts listed there will eventually go away.
>>
>> Graylog2 currently doesn't have a method to delete data, if you really
>> have to get rid of it, going to elasticsearch directly is your best bet at
>> this point:
>>
>> http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/docs-delete-by-query.html
>>
>> Best,
>> Kay
>>
>> On Thursday, January 16, 2014 10:06:40 AM UTC+1, Martin Zeug wrote:
>>>
>>> Hi I installed rc1 - works great. But how to remove old sources not uses
>>> anymore?
>>>
>>> Greetings,
>>>
>>> Martin
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "graylog2" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to graylog2+u...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
>
> --
> Cordialement,
> Jean-Luc Bassereau
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/0e551aea-366a-48e4-af8d-5aacc1f39446%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
