I'am trying, without any luck, to find the correct syntax / query to delete multiple messages from a graylog2 instance (2.4.6 for both ES and Graylog), based on a pattern matching the "source" field (as seen in graylog webui).
I already tried a lot of comùbination, but non works :
root@log [~]: curl -XDELETE 'http://localhost:9200/graylog_71/message/_query' -d'{"query" : {"term": { "source" : "exact_server_name_here"}}}'
{"found":false,"_index":"graylog_71","_type":"message","_id":"_query","_version":2,"_shards":{"total":1,"successful":1,"failed":0}}
Another try :
root@log [~]: curl -XDELETE 'http://localhost:9200/graylog_71/message/_query' -d '
{
"query": {
"query_string" : {
"query" : "exact_server_name_here"
}
}
}
'
I also checked this SO post, which worked but whch does not fit my needs : Delete a specific log message from Graylog
To answer val comment: Yes the delete plugin is installed (I forgot to mention this in my initial post)
bear with the ES newbie I am :)
Thanks
[edit#1] As per Val request :
root@log [~]: curl 'localhost:9200/_cat/plugins?v'
name component version type url
OK, my bad, ES newbie does not excuse everything, the plugin was actually installed, but ES needs to be restarted to make it available (as seen on the _cat/plugin query)
After a restart the following query works flawlessly (of course) :
curl -XDELETE 'http://localhost:9200/graylog_68/message/_query' -d '
{
"query": {
"query_string" : {
"query" : "source : <exact_server_name_here>"
}
}
}
'
Thanks to Val for the pointer.