Can I limit a watch to today and yesterday using "indices"?

JohnMunson · November 12, 2015, 7:15pm

Hi. I'm brand new to Elasticsearch and Watcher, so I'm still finding my way around. We have daily indices of the form myindex-YYYY.MM.DD, and I've set up a watch that can search them using...
"indices" : [ "myindex-*" ]
... along with a date range to look at the last hour or however long I want.

But because we keep the daily indices for a long time and thus there's a ton of data, I want to limit the search to the current and previous day's index, using something similar to "now" in the "indices" specification -- conceptually something like this:
"indices" : [ "myindex-[today], myindex-[yesterday]" ]

Is it possible to do that, or do I need to let it search all of the daily indices and let the date range throw out all of the data in the older days' indices, as I'm doing now? Thanks.

skearns · November 13, 2015, 12:24am

Hi John,

Yes, this is supported

If you are using Watcher 1.x, you can use dynamic index names in Watcher: https://www.elastic.co/guide/en/watcher/watcher-1.0/dynamic-index-names.html

We liked this dynamic index name feature so much, we brought it to Elasticsearch! If you are using Elasticsearch and Watcher 2.0, it's simply a feature of ES:

https://www.elastic.co/guide/en/elasticsearch/reference/2.0/date-math-index-names.html

Hope that helps!

Steve