Purge space indices

[mariano hinjos]

How to purge the size occupied by /var/lib/elasticsearch/nodes/0/indices?

I have installed curator but I can't reduce the size. Any recommendation to purge every so often?

[root@esmas034t 0]# du -sh *
29G     indices
0       node.lock
4,0K    snapshot_cache
1,8M    _state
[root@esmas034t 0]# cd indices/
[root@esmas034t indices]# ls -lrt
total 0
drwxr-sr-x. 6 elasticsearch elasticsearch 47 dic 20 17:19 8bN0MFGqS162SbZTDc83ZQ
drwxr-sr-x. 4 elasticsearch elasticsearch 29 dic 20 17:19 5WIhSzdMRKaoRY8a3wBViw
drwxr-sr-x. 4 elasticsearch elasticsearch 29 dic 20 17:19 1THat0KQQeSU-G2APgl6bA
drwxr-sr-x. 5 elasticsearch elasticsearch 38 dic 20 17:19 mFK0fYznR3Ooehv6BBvvRA

[Yana Zaeva]

Hi,

Thank you for using Wazuh. The best way to purge Elasticsearch indices is using the API. If you go to Index Management in the Kibana interface you should be able to see the size of each one of your indices and also its date (first and second screenshots). You can remove the oldest ones based on the date or the heavier ones. In order to purge them, you can use the DevTool option present in Kibana (third and fourth screenshot), running DELETE <your index name>, or perform an API call: curl -X DELETE "localhost:9200/<your index name>?pretty". You can check the following link for further information. In the DevTool option, once you have written the command you will have to press the green arrow on the right side in order to run it. 

In order to keep a clean environment and remove old indices periodically, I recommend you establish a retention period in your environment, deleting periodically indices that are older than some period of time. I will leave here two links that you might find useful if you want to configure it:

- OpenDistro retention policies. 

- Wazuh index management. 

Hope this was helpful. Let me know if you need anything else. 

Regards,

Yana.