How to search multiple indices at once?

Hi,

Im trying to run a deletion from graylog and my search query is unfortunately bringing up too many results in one go (around 250k messages).

Using this query :

‘value_im_looking_for’ AND _index:graylog_777

  • i’m able to search only in that one indice 777. But is it possible to do it for multiple indices? Without specifying the indice, just searching for my value gives me 100 indices.

My delete script uses the search query - so ideally, id like to break it down to 10 indices at a time to avoid issues.

Thanks.

  1. You can use OR in your search query:
    ‘value_im_looking_for’ AND (_index:graylog_0 OR _index:graylog_1)

  2. If you want remove certain messages before store to graylog (as the come to), it’s able to use pipeline function to remove before store:

rule "drop some messages"
when
    has_field("message") AND
    regex(pattern: "REGEX_PATTERN", value: to_string($message.message)).matches == true
then
    drop_message();
    // added debug message to be notified about the dropped message
    debug( concat("dropped message from ", to_string($message.source)));
end

if you know the timerange you are looking for, you might be able to reduce the number of indices already.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.