delete logs that belong to a specific group
43 views
Skip to first unread message
Ricardo Guedes
Nov 7, 2025, 9:15:28 AM (4 days ago) Nov 7
to Wazuh | Mailing List
I want to delete logs that belong to a specific group — for example, rule.groups: windows.
Is there a way to delete only these logs from my indexed data in order to free up disk space?
Is there a way to delete only these logs from my indexed data in order to free up disk space?
Olamilekan Abdullateef Ajani
Nov 7, 2025, 10:01:11 AM (4 days ago) Nov 7
to Wazuh | Mailing List
Hello,
If you want to remove logs from index, you need to navigate to the indexer management page >> DevTools and use the sample query below:
POST /sample-index1/_delete_by_query { "query": { "match": { "movie-length": "124" } } }
POST /sample-index1/_delete_by_query { "query": { "match": { "movie-length": "124" } } }
The above matches the query where movie-legth = 124 in the specified index and deletes it. I used the block below to delete from the vulnerability alerts, see the outcome in the attached image.
POST wazuh-alerts-4.x-*/_delete_by_query
{
"query": {
"match": {
"rule.groups": "vulnerability-detector"
}
}
}
{
"query": {
"match": {
"rule.groups": "vulnerability-detector"
}
}
}
You can find more configurable options in the documentation below:
https://docs.opensearch.org/latest/api-reference/document-apis/delete-by-query/
https://docs.opensearch.org/latest/api-reference/document-apis/delete-by-query/
That being said, I suggest you also take a look at index lifecycle management policies to help you roll over indexes before they are full.
Ricardo Guedes
Nov 9, 2025, 6:25:14 AM (2 days ago) Nov 9
to Wazuh | Mailing List
Thank you very much, that worked, but when I run the command, it deletes a % and then generates this error and stops execution.
Can you help me with this?
"failures": [
{
"index": "wazuh-alerts-4.x-2025.05.22",
"id": "asdasdasdasd",
"cause": {
"type": "version_conflict_engine_exception",
"reason": "[asdasdasd]: version conflict, required seqNo [123123123], primary term [1]. but no document was found",
"index": "wazuh-alerts-4.x-2025.05.22",
"shard": "0",
"index_uuid": "asdasdasd"
},
"status": 409
},
Olamilekan Abdullateef Ajani
Nov 10, 2025, 9:04:49 AM (23 hours ago) Nov 10
to Wazuh | Mailing List
Hello,
Error 409, typically means conflict, it is an HTTP status code indicating that a request could not be completed due to a conflict with the current state of the target resource. This means that the server received a valid request, but it cannot continue processing because of the status of the resources being accessed.
In OpenSearch terms, this means the document was already deleted or updated by another process between the time your delete query started scanning and the time it tried to delete it. OpenSearch keeps sequence numbers to maintain consistency across replicas. If it cannot find the expected version because the document in question is gone or changed, it raises a 409 version conflict error.
In OpenSearch terms, this means the document was already deleted or updated by another process between the time your delete query started scanning and the time it tried to delete it. OpenSearch keeps sequence numbers to maintain consistency across replicas. If it cannot find the expected version because the document in question is gone or changed, it raises a 409 version conflict error.
You can use the conflict/proceed option as described below or, better still, review the query being used.
POST wazuh-alerts-4.x-*/_delete_by_query?conflicts=proceed
{
"query": {
"match": {
"syscheck.event": "deleted"
}
}
}
POST wazuh-alerts-4.x-*/_delete_by_query?conflicts=proceed
{
"query": {
"match": {
"syscheck.event": "deleted"
}
}
}
You can find more configurable options in the documentation below:
https://docs.opensearch.org/latest/api-reference/document-apis/delete-by-query/
https://docs.opensearch.org/latest/api-reference/document-apis/delete-by-query/
Reply all
Reply to author
Forward
0 new messages