-
Notifications
You must be signed in to change notification settings - Fork 6
/
remove_grokparsefailure_documents.py
157 lines (124 loc) · 4.81 KB
/
remove_grokparsefailure_documents.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
import datetime
from argparse import ArgumentParser
from elasticsearch import Elasticsearch
import re
import platform # Dealing with CA Certs
#
# Remove ALL _grokparsefailure documents
#
# To-Do:
# Add 'Are you sure?' question before deleting
# Bulk-delete
# Arguments parsing
parser = ArgumentParser(description='Remove ALL _grokparsefailure events')
parser.add_argument('-e', '--endpoint', help='ES endpoint URL', required=True)
parser.add_argument('-d', '--debug', help='Debug', action="store_true")
args = parser.parse_args()
def debug(message):
if DEBUG:
print "DEBUG "+str(message)
def normalize_endpoint(endpoint):
end_with_number = re.compile(":\d+$")
if endpoint[-1:] == '/':
endpoint = endpoint[:-1]
if endpoint[0:5] == "http:" and not end_with_number.search(endpoint):
endpoint = endpoint+":80"
return endpoint
if endpoint[0:6] == "https:" and not end_with_number.search(endpoint):
endpoint = endpoint+":443"
return endpoint
if not end_with_number.search(endpoint):
endpoint = endpoint+":80"
return endpoint
return endpoint
def from_epoch_milliseconds_to_string(epoch_milli):
return str(datetime.datetime.utcfromtimestamp( float(str( epoch_milli )[:-3]+'.'+str( epoch_milli )[-3:]) ).strftime('%Y-%m-%dT%H:%M:%S.%f'))[:-3]+"Z"
def from_epoch_seconds_to_string(epoch_secs):
return from_epoch_milliseconds_to_string(epoch_secs * 1000)
def search_events():
if DEBUG:
current_time = int(datetime.datetime.utcnow().strftime('%s%f')[:-3])
# https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html
# http://elasticsearch-py.readthedocs.io/en/master/api.html#elasticsearch.Elasticsearch.search
res = es.search(size="10000", fields="@timestamp,message,path,host",
body={
"query":{
"filtered":{
"filter":{
"and":[
{
# Optional
},
{
"term":{"tags": '_grokparsefailure'}
}
]
}
}
}
}
)
if DEBUG:
debug("ES search execution time: "+str( int(datetime.datetime.utcnow().strftime('%s%f')[:-3]) - current_time)+"ms" )
return res
def get_ids(res):
ids = []
for hit in res['hits']['hits']:
id = str(hit['_id'])
index = str(hit['_index'])
type = str(hit['_type'])
# [ ( id,index,type),... ]
ids.append( (id,index,type) )
return ids
def remove_ids(documents_to_remove):
global deleted,errors
# http://elasticsearch-py.readthedocs.io/en/master/api.html?highlight=delete#elasticsearch.Elasticsearch.delete
for item in documents_to_remove:
if DEBUG:
current_time = int(datetime.datetime.utcnow().strftime('%s%f')[:-3])
print "Deleting",item[0],"... ",
# [ ( id,index,type),... ]
delete = es.delete(id=item[0], index=item[1], doc_type=item[2])
# if delete['_shards']['successful'] > 0 and delete['_shards']['failed'] == 0:
if delete['found']:
print "Successful!"
deleted += 1
debug("Deleted "+str(deleted))
else:
print "ERROR:",delete
errors += 1
debug("Errors " + str(errors))
if DEBUG:
debug(delete)
debug("ES delete execution time: " + str(
int(datetime.datetime.utcnow().strftime('%s%f')[:-3]) - current_time) + "ms")
return
if args.debug:
DEBUG = args.debug
else:
DEBUG = None
# Workaround to make it work in AWS AMI Linux
# Python in AWS fails to locate the CA to validate the ES SSL endpoint and we need to specify it
# https://access.redhat.com/articles/2039753
if platform.platform()[0:5] == 'Linux':
ca_certs = '/etc/pki/tls/certs/ca-bundle.crt'
else:
# On the other side, in OSX works like a charm.
ca_certs = None
# Elasticsearch endpoint hostname:port
endpoint = normalize_endpoint(args.endpoint)
# http://elasticsearch-py.readthedocs.io/en/master/
es = Elasticsearch([endpoint], verify_certs=True, ca_certs=ca_certs)
res = search_events()
deleted = 0
errors = 0
print "Total documents found: "+str(len(res['hits']['hits']))
if len(res['hits']['hits']) == 0:
print "Nothing to do."
exit(0)
documents_to_remove = get_ids(res)
remove_ids(documents_to_remove)
print "Total Deleted:",deleted
if errors != 0:
print "Total Errors:",errors
exit(1)