Can I dynamically specify indices to search?

anon12945697 · December 14, 2016, 6:21pm

Hi there,

I have a question for Watcher. Can I dynamically specify indices to search?

Example:
I have multiple logs, named in the format: "log-yyyy-mm-dd", like "log-2016-12-14".
I have a watch run every 5 mins, searching for exceptions in log indices in last 30 mins.
Currently, my watch search all indices. It is kind of wasting resource. I would like to specify the indices, to use only today and yesterday's indices. It means I need to dynamically specify indices to search.

How can I do that?

Thanks,

Da

skearns · December 14, 2016, 8:48pm

Yes, you can use index date math[1] to specify an index.

[1] https://www.elastic.co/guide/en/elasticsearch/reference/current/date-math-index-names.html

anon12945697 · December 15, 2016, 6:57pm

That's cool! I'll give it a try

system · January 12, 2017, 6:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can I limit a watch to today and yesterday using "indices"? Elasticsearch elastic-stack-alerting	2	1462	July 6, 2017
Watcher: how to dynamically calculate indices Elasticsearch elastic-stack-alerting	3	1208	July 6, 2017
Watcher: dynamic index name does not work Elasticsearch elastic-stack-alerting	7	1718	June 28, 2017
Dynamic date passing in indices in watcher Elasticsearch elastic-stack-alerting	7	1537	December 21, 2016
Index name date math with wildcard? Elasticsearch elastic-stack-alerting	11	3010	July 6, 2017

Can I dynamically specify indices to search?

Related topics