Graylog2-server: Delete particular messages from old graylog indices
Hello,
tried to delete particular messages from old graylog indices (via Elasticsearch XDELETE) but I got:
{"error":"ClusterBlockException[blocked by: [FORBIDDEN/8/index write (api)];]","status":403}
I think problem is similar to this:
https://groups.google.com/forum/#!msg/elasticsearch/x56A_xeQ9Ok/uAjEpXHEiZ4J
I want to delete messages from indices which are not set write-active from graylog any longer (but they are not closed!), because my graylog rotation settings: "rotates the indices every 1 day".
Is there any way to delete particular messages (e.g. msgs from particular hosts) from such indices?
1tft
All 3 comments
Command $ curl -XGET 'http://localhost:9200/graylog_10/_settings' gives me a write lock on this old index. So I'm wondering, when I enable writing (via ES) for these old indices and delete old messages, will Graylog have any (sync) problems with these modified indices?
1tft
on 9 Apr 2015
@1tft Graylog sets old indices to read-only (see http://www.elastic.co/guide/en/elasticsearch/reference/1.4/indices-update-settings.html). You can remove the write block from those indices without any problems.
But you should re-calculate index ranges if you removed any messages from those indices (System -> Indices -> Maintenance) so that Graylog can still perform (sensible) searches on them.
joschi
on 10 Apr 2015
Hello, thank you very much for this feedback.
What do you mean with "sensible", because after deleting some messages in this particular index I could search for messages in that index successfully.
Also, when Graylog switches to a new index, recalculation of index range is done automatically, correct?
I wrote a short bash script, for deleting particular messages via Elastic.
I think this can help other users who want to delete some messages from Graylog.
Enable writing for "old" indices:
INDEX_NR=20 #only e.g., define index number manually or use a loop instruction for all indices...
curl -XPUT 'http://localhost:9200/graylog_'"$INDEX_NR"'/_settings' -d '{
"index" : {
"blocks.write" : false
}
}'
Deleting messages based on a search query:
curl -XGET 'http://localhost:9200/graylog_'"$INDEX_NR"'/_search' -d '{
SOME FANCY QUERY STUFF
}'
Making index read-only again.
curl -XPUT 'http://localhost:9200/graylog_'"$INDEX_NR"'/_settings' -d '{
"index" : {
"blocks.write" : true
}
}'
Optimizing index with flushing included
curl -XPOST 'http://localhost:9200/graylog_'"$INDEX_NR"'/_optimize'
Graylog Re-calculating index ranges
Curl XPOST against Graylogserver!
curl -XPOST http://localhost:12900/system/indices/ranges/rebuild
1tft
on 10 Apr 2015
Related issues
bernd
路
3Comments
ianling
路
4Comments
mikkolehtisalo
路
4Comments
hc4
路
4Comments
mhaasEFD
路
4Comments
Most helpful comment
Hello, thank you very much for this feedback.
What do you mean with "sensible", because after deleting some messages in this particular index I could search for messages in that index successfully.
Also, when Graylog switches to a new index, recalculation of index range is done automatically, correct?
I wrote a short bash script, for deleting particular messages via Elastic.
I think this can help other users who want to delete some messages from Graylog.
Enable writing for "old" indices:
INDEX_NR=20 #only e.g., define index number manually or use a loop instruction for all indices...
curl -XPUT 'http://localhost:9200/graylog_'"$INDEX_NR"'/_settings' -d '{
"index" : {
"blocks.write" : false
}
}'
Deleting messages based on a search query:
curl -XGET 'http://localhost:9200/graylog_'"$INDEX_NR"'/_search' -d '{
SOME FANCY QUERY STUFF
}'
Making index read-only again.
curl -XPUT 'http://localhost:9200/graylog_'"$INDEX_NR"'/_settings' -d '{
"index" : {
"blocks.write" : true
}
}'
Optimizing index with flushing included
curl -XPOST 'http://localhost:9200/graylog_'"$INDEX_NR"'/_optimize'
Graylog Re-calculating index ranges
Curl XPOST against Graylogserver!
curl -XPOST http://localhost:12900/system/indices/ranges/rebuild