Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

deleting specific log events

https://support.nagios.com/forum/viewtopic.php?t=54281

Page 1 of 1

deleting specific log events

Posted: Tue Jun 11, 2019 10:22 pm
by newmember
Would this be correct syntax to delete all SourceName fields that contain "Microsoft-Windows-Security-Auditing"?
The Query in the GUI looks to be a good filter.
24hrs has = 262300014 hits

Code: Select all

curl -XDELETE 'http://localhost:9200/logstash-*/_query?q=SourceName="Microsoft-Windows-Security-Auditing"'

Cheers

Re: deleting specific log events

Posted: Wed Jun 12, 2019 7:14 am
by scottwilkerson
Deleting by query isn't natively available in this verison of ES

You have to add it via plugin
https://www.elastic.co/guide/en/elastic ... query.html

Code: Select all

cd /usr/local/nagioslogserver/elasticsearch/
sudo bin/plugin --install delete-by-query -u https://download.elastic.co/elasticsearch/release/org/elasticsearch/plugin/delete-by-query/2.4.6/delete-by-query-2.4.6.zip
systemctl restart elasticsearch
then your query should work.

******NOTE******, this obviously is a destructive query, make sure you have a backup of all pertinent data before running in-case something goes wrong.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited