elasticsearch ttl force delete old messages

Question

Im set TTL as in manual, but elasticsearch documentation said that messages older then TTL time will be not affected, how can i force deletion of older messages?

Or maybe exists some method to delete messages older then 30 days?

Answer 1

Following from our comment back-and-forth:

I can't access that doc since it's local to your computer. But from the info is seems you're referring to a default of 30 days, probably set by graylog2 (I'm sure it isn't set By Elasticsearch).

But to answer your question: if you've got a timestamp field on your documents do a delete-by-query on that timestamp (select all docs older than 30 days and delete). http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/docs-delete-by-query.html.

To be save, be sure to do a fetch first on the same query instead of a delete to see if you've actually formulated the query correctly.

If you don't have a timestamp on your documents, I'm really not sure how to do this. Still I like to see evidence/docs that Elasticsearch doesn't delete these according to the TTL.