Methods of deleting old indices

[Hatim Eissa]

Hello Group

I'm running Wazuh v4.3.8 on a single host. And I was planning to delete old indices due to reaching 98% of disk usage. I've seen your contributions regarding tackling the issue. My question is: Can I do the deletion job using "Dev Tools" or "API Console" in the Wazuh Manager's web console, rather than using the remote curl command? & If so, are there any extra steps needed to be taken into consideration (i.e. stopping a certain service or resetting it after deletion)?
Thanks

[Olusegun Adenrele Oyebo]

Hello Hatim,

Thanks for reaching out.

You can delete old indices using Dev Tools. To list the indices you have using Dev Tools, run command GET _cat/indices?v . This will list the indices you have. From there you can now delete the old indices of your choice, run DELETE /<indices_to_delete>. For example  DELETE /wazuh-alerts-4.x-2024.04.21.

If you want to delete indices for a whole month, let's say for the month of April, you can use the wildcard(*). For example, DELETE /wazuh-alerts-4.x-2024.04* (screenshot attached). Also note that you don't need to perform any restart for this operation.

I hope this helps. If you have any other query, do not hesitate to ask.

Best regards.

[Hatim Eissa]

Hello Olusegun

Thanks for the confirmation. I'll try it let you know.

Regards

[Hatim Eissa]

Hello Olusegun

I did the manual deletion and the capacity is fine now. I'll start working on index lifetime policies for better management. 

Thanks a lot