To delete a document in an Elasticsearch data stream, you can use the _delete API. However, data streams work a bit differently from regular indices in Elasticsearch. A document in a data stream is generally stored across multiple backing indices, so you must first find the specific backing index and document ID.
Here are the steps to delete a document from an Elasticsearch data stream:
Steps to delete a document from a data stream:
Find the document's index:
- Search the data stream to find the document and note the
_indexand_idvalues.
Use a query like this:
GET /<data-stream-name>/_search { "query": { "match": { "<field>": "<value>" } } }Replace
<data-stream-name>,<field>, and<value>with appropriate values. From the result, note the_index(which will be a backing index) and the document's_id.- Search the data stream to find the document and note the
Delete the document:
- Once you have the document’s
_indexand_id, you can delete it using the following command:
DELETE /<index-name>/_doc/<document-id>Replace
<index-name>with the specific backing index you got from the previous search result, and replace<document-id>with the document's ID.- Once you have the document’s
Example:
Search for the document:
GET /logs-metrics/_search { "query": { "match": { "user": "john_doe" } } }The response might return something like:
{ "hits": { "hits": [ { "_index": ".ds-logs-metrics-2023.06.01-000001", "_id": "A1B2C3D4E5F6", "_source": { "user": "john_doe", "action": "login" } } ] } }Delete the document: With
_indexas.ds-logs-metrics-2023.06.01-000001and_idasA1B2C3D4E5F6, delete the document like this:DELETE /.ds-logs-metrics-2023.06.01-000001/_doc/A1B2C3D4E5F6
Important Notes:
- You cannot directly delete a document from a data stream using its alias (i.e., the data stream's name). You must reference the specific backing index.
- Elasticsearch does not automatically delete empty backing indices. You may need to manage these indices manually if required.
Let me know if you need further clarification!