Can I limit a watch to today and yesterday using "indices"?

JohnMunson · November 12, 2015, 7:15pm

Hi. I'm brand new to Elasticsearch and Watcher, so I'm still finding my way around. We have daily indices of the form myindex-YYYY.MM.DD, and I've set up a watch that can search them using...
"indices" : [ "myindex-*" ]
... along with a date range to look at the last hour or however long I want.

But because we keep the daily indices for a long time and thus there's a ton of data, I want to limit the search to the current and previous day's index, using something similar to "now" in the "indices" specification -- conceptually something like this:
"indices" : [ "myindex-[today], myindex-[yesterday]" ]

Is it possible to do that, or do I need to let it search all of the daily indices and let the date range throw out all of the data in the older days' indices, as I'm doing now? Thanks.

skearns · November 13, 2015, 12:24am

Hi John,

Yes, this is supported

If you are using Watcher 1.x, you can use dynamic index names in Watcher: https://www.elastic.co/guide/en/watcher/watcher-1.0/dynamic-index-names.html

We liked this dynamic index name feature so much, we brought it to Elasticsearch! If you are using Elasticsearch and Watcher 2.0, it's simply a feature of ES:

https://www.elastic.co/guide/en/elasticsearch/reference/2.0/date-math-index-names.html

Hope that helps!

Steve

Topic		Replies	Views
Can I dynamically specify indices to search? Elasticsearch elastic-stack-alerting	3	662	January 12, 2017
Watcher: dynamic index name does not work Elasticsearch elastic-stack-alerting	7	1718	June 28, 2017
Current Date in watcher Elasticsearch	6	103	April 18, 2024
Elasticsearch filter - Search previous days index Logstash	2	550	April 8, 2020
Watching Logstash indexes Elasticsearch elastic-stack-alerting	2	696	July 6, 2017

Can I limit a watch to today and yesterday using "indices"?

Related topics