If you need to do this in an emergency, here is a quick and dirty script.
#!/bin/bash# How many days do you want to keep?
DAYS_KEPT=2# Which indices are you looking at logstash | filebeat etc
INDICES='filebeat'###############
### DO NOT MESS WITH THIS SCRIPT BELOW HERE UNLESS YOU KNOW WHAT YOU ARE DOING
################ Intentionally using %d instead of %e for Zero padding
EPOC=$(date --date="${DAYS_KEPT} days ago" +%Y%m%d)
ALL_LINES=$(/usr/bin/curl -s -XGET http://127.0.0.1:9200/_cat/indices?v | egrep ${INDICES})echo
echo "This is what I'm going to delete!!! You can not recover this one gone"
echoecho "${ALL_LINES}" | while read LINE
do
FORMATED_LINE=$(echo $LINE | awk '{ print $3 }' | awk -F'-' '{ print $2 }' | sed 's/\.//g')
if [ "${FORMATED_LINE}" -lt "${EPOC}" ]
then
TO_DELETE=$(echo ${LINE} | awk '{ print $3 }')
echo "http://127.0.0.1:9200/${TO_DELETE}"
fi
doneecho
echo -n "Only choose Y is this makes sense, Y to continue N to exit [Y/N]:"
read INPUTcase ${INPUT} in
y|Y|yes|YES|Yes)
echo "${ALL_LINES}" | while read LINE
do
FORMATED_LINE=$(echo ${LINE} | awk '{ print $3 }' | awk -F'-' '{ print $2 }' | sed 's/\.//g')
if [ "${FORMATED_LINE}" -lt "${EPOC}" ]
then
TO_DELETE=$(echo $LINE | awk '{ print $3 }')
/usr/bin/curl -XDELETE http://127.0.0.1:9200/${TO_DELETE}
sleep 1
fi
done
;;n|N|no|NO|No)
exit
;;*)
echo 'Please answer "Y" or "N"'
;;esac
