Hello all,
We're currently using logstash's one-day-per-index model of indices. This is working well within Kibana but I'm struggling to find information on how we should be limiting the number indices queried when writing our own queries. From what I understand, I can either list the filters, potentially with wildcards, in the query URI or add them to the Indices filter in the query itself. My first question is, are these two ways of specifying indices analogous? This post suggests that best practice is to put them on the URI:
This leads to my second question, if my indices are time based, how should I restrict the query to indices falling within the date range I'm interested in? If this is a whole month or year it's easy (just use a wildcard), but what if it's four weeks out of the month, do I have to list each of the 28 indicies within that range to the URI and/or filter? What does Kibana do?