Remove fields in search menu

[itreseau]

Hi,

I created some extractors that i removed then but fields are still present in the list on the search page. How can i delete them and why they don't have been removed when I deleted the extractor ?

Did I do something wrong ?

[edmundoa]

Hi,

You did nothing wrong, it's normal to add and remove fields sometimes. Those fields are still in the Elasticsearch indices used for your search (Graylog doesn't modify the data in ES once it is stored), and that's why they are in the sidebar. One solution for the problem is to wait: once your ES indices are rotated, the removed fields will go away. If that's not good enough for your case, you can manually delete them in Elasticsearch.

We use Github to track issues with the code, please use our mailing list or our IRC channel #graylog on Freenode for support questions about Graylog.

[itreseau]

Hi,

Thanks for your quick reply. Just for my curiosity i would like to know how i can removed them with elastic search. I saw on a website a feed about that : https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-update.html

curl -XPOST 'localhost:9200/test/type1/1/_update' -d '{
    "script" : "ctx._source.remove(\"name_of_field\")"
}'

How can I transpose with my graylog config ? I am using a standalone installation and it has been made with the .ova file

[joschi]

@itreseau You simply need to put in your Graylog indices (graylog_* should work instead of test), the correct type (message instead of type1) and the correct document ID. To make things short: If you do not absolutely need to remove those fields, just leave them and wait until the indices have been rotated.

Kindly post general questions around Graylog on the mailing list or in our IRC channel as @edmundoa already mentioned.