I’m setting up my graylog instance and I’m trying to get all my data normalized correctly. I’ve got everything normalized as I want, but I’d like to be able to remove specific messages from ElasticSearch.
Classification is a field I extracted out in the messages. I’m wanting to delete the messages that have the classification field, and the value in it is {}
The command works, but it returns that it didn’t find anything.
I also tried pasting the Webgui query for the messages I wanted to delete, and it results the same.
Just to add to what jochen mentioned, I needed to set write blocks to “false” on the given indices first, remove offending message(s), then re-enabled write block, because Graylog flushes and sets a given index to read-only after cycling the deflector (at your designated interval).
Didn’t realize it was a plugin. I tried installing it, but it’s saying that the bin/plugin command isn’t found. I suppose I have to install the plugin manually?
Did you execute it from within your Elasticsearch installation folder? bin/plugin is a relative path. It’s the plugin executable in the bin folder of Elasticsearch.
Something else I found helpful was installing the Sense app in Kibana and doing this work there rather than via CURL. Not that curl won’t work, but it was easier for me via Sense.
Does graylog use Kibana? I was trying to get this up while installing as few external components as possible.
Correct me if I’m wrong, but isn’t Kibana part of the ELK stack? Which begs the question, if I’m going to use Kibana, why use Graylog? Not trying to sound rude, actually asking because I don’t understand.
Valid question. Graylog has a different philosophy than ELK so I suggest you try out both, especially at scale/production load and then choose the tool you like the most.
Can you get the query returning the results you want within Graylog? If so, you can go to MORE ACTIONS → SHOW Query and then use that as the query field in your CURL command.
