Delete elasticsearch data older than X days in BASH

If you need to do this in an emergency, here is a quick and dirty script.

#!/bin/bash

# How many days do you want to keep?
DAYS_KEPT=2

# Which indices are you looking at logstash | filebeat etc
INDICES='filebeat'

###############
### DO NOT MESS WITH THIS SCRIPT BELOW HERE UNLESS YOU KNOW WHAT YOU ARE DOING
###############

# Intentionally using %d instead of %e for Zero padding
EPOC=$(date --date="${DAYS_KEPT} days ago" +%Y%m%d)
ALL_LINES=$(/usr/bin/curl -s -XGET http://127.0.0.1:9200/_cat/indices?v | egrep ${INDICES})

echo
echo "This is what I'm going to delete!!! You can not recover this one gone"
echo

echo "${ALL_LINES}" | while read LINE
do
FORMATED_LINE=$(echo $LINE | awk '{ print $3 }' | awk -F'-' '{ print $2 }' | sed 's/\.//g')
if [ "${FORMATED_LINE}" -lt "${EPOC}" ]
then
TO_DELETE=$(echo ${LINE} | awk '{ print $3 }')
echo "http://127.0.0.1:9200/${TO_DELETE}"
fi
done

echo
echo -n "Only choose Y is this makes sense, Y to continue N to exit [Y/N]:"
read INPUT

case ${INPUT} in

y|Y|yes|YES|Yes)
echo "${ALL_LINES}" | while read LINE
do
FORMATED_LINE=$(echo ${LINE} | awk '{ print $3 }' | awk -F'-' '{ print $2 }' | sed 's/\.//g')
if [ "${FORMATED_LINE}" -lt "${EPOC}" ]
then
TO_DELETE=$(echo $LINE | awk '{ print $3 }')
/usr/bin/curl -XDELETE http://127.0.0.1:9200/${TO_DELETE}
sleep 1
fi
done
;;

n|N|no|NO|No)
exit
;;

*)
echo 'Please answer "Y" or "N"'
;;

esac

Author: Andrew

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.