Remove or delete old data from elastic search

Question

How to remove old data from elastic search index as the index has large amount of data being inserted every day.

Why was this question downvoted? – slim Jul 01 '16 at 16:44 — slim, Jul 01 '16 at 16:44

score 22 · Answer 1 · answered Dec 09 '15 at 03:14

22

You can do that with delete by query plugin.

Assuming you have some timestamp or creation date field in your index, your query would look something like this

DELETE /your_index/your_type/_query
{
  "query": {
    "range": {
      "timestamp": {
        "lte": "now-10y"
      }
    }
  }
}

This will delete records older than 10 years.

I hope this helps

answered Dec 09 '15 at 03:14

ChintanShah25

Is there any way to do it in the form of a script so we don't have to run the query manually – sri Dec 09 '15 at 03:23
Does this delete query erase the records completely from the index and allow space for new records to be inserted – sri Dec 09 '15 at 03:26
1

You can set up a `cron job` to do it daily, records are **not** erased after you perform delete, they are **marked** as deleted and during segment merging they are actually removed, you might see increase in index size after deletion or update, you can use [force merge](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-forcemerge.html) to optimize your index – ChintanShah25 Dec 09 '15 at 03:46
What is segment merging ? After segment merging is the size of index decreased – sri Dec 09 '15 at 03:51
1

go through [this](https://www.elastic.co/guide/en/elasticsearch/guide/current/merge-process.html) to understand segment merging, you cant decrease size like that, just deleted data wont be there after merging segments. Also [read](https://www.elastic.co/blog/found-elasticsearch-from-the-bottom-up) about how elasticsearch works to have better understanding. – ChintanShah25 Dec 09 '15 at 04:18

score 12 · Answer 2 · answered Dec 09 '15 at 06:22

12

Split data to daily indexes and use alias as old index name. then Delete the each index daily. just as logstash:

Daily indices :logstash-20151011,logstash-20151012,logstash-20151013.

Full Alias: logstash

Then daily delete last index.

answered Dec 09 '15 at 06:22

Ali Nikneshan

2

Using multiple indexes is the way to go. To delete the older indexes you could use curator: https://www.elastic.co/guide/en/elasticsearch/client/curator/current/index.html – slim Jul 01 '16 at 16:38
1

this is the best answer – Luc E Sep 03 '20 at 10:38

score 0 · Answer 3 · answered Jul 12 '21 at 09:04

0

If you are using time-based indices, that should be something like:

curl -XDELETE http://localhost:9200/test-2017-06

answered Jul 12 '21 at 09:04

Atif Hussain

3 Answers3