If you want to delete old ES indexes you can use below script. This script will only delete activity and devices logs, not audit logs
#!/bin/bash
ES_USER=$(cat /etc/ferrumgate/env |grep ES_USER|cut -d'=' -f2)
ES_PASS=$(cat /etc/ferrumgate/env |grep ES_PASS|cut -d'=' -f2)
IP=$(netstat -tuplen|grep 9200| tr -s ' '|cut -d' ' -f4)
INDICES=$(curl --silent -u $ES_USER:$ES_PASS http://$IP/_cat/indices|tr -s ' '| cut -d' ' -f3)
echo "$INDICES"
count=$(echo "$INDICES"|wc -l)
echo "total index:$count"
read -p "how many days should left:" DAYS
read -p "do you want to continue Y/n " YesNo
if [ $YesNo != "Y" ];then
exit 0
fi
delete(){
search=$1
indexlist=$(curl --silent -u $ES_USER:$ES_PASS http://$IP/_cat/indices|tr -s ' '| cut -d' ' -f3|grep -e $search|sort)
LINES=$(echo $indexlist|wc -l)
LEFT=$(($LINES-$DAYS))
for index in $(echo $indexlist|head -n $LEFT);
do
echo "deleting $index"
curl --silent -u $ES_USER:$ES_PASS -XDELETE http://$IP/$index
done
}
delete "activity"
delete "device"