Perform update or delete by query
ECE ECK Elastic Cloud Hosted Self Managed
It is possible to update or delete the documents but you can only perform these actions on the leader index.
First identify which backing index contains the document you want to update.
### On either of the cluster ###GET logs-generic-default*/_search?filter_path=hits.hits._index { "query": { "match": { "event.sequence": "97" } } }- If the hits returns
"_index": ".ds-logs-generic-default-replicated_from_clustera-<yyyy.MM.dd>-*", then you need to proceed to the next step oncluster A. - If the hits returns
"_index": ".ds-logs-generic-default-replicated_from_clusterb-<yyyy.MM.dd>-*", then you need to proceed to the next step oncluster B. - If the hits returns
"_index": ".ds-logs-generic-default-<yyyy.MM.dd>-*", then you need to proceed to the next step on the same cluster where you performed the search query.
- If the hits returns
Perform the update (or delete) by query:
### On the cluster identified from the previous step ###POST logs-generic-default/_update_by_query { "query": { "match": { "event.sequence": "97" } }, "script": { "source": "ctx._source.event.original = params.new_event", "lang": "painless", "params": { "new_event": "FOOBAR" } } }TipIf a soft delete is merged away before it can be replicated to a follower the following process will fail due to incomplete history on the leader, see index.soft_deletes.retention_lease.period for more details.