Hi ,
I am very new to kibana and elasticsearch
My indexes in elasticsearch are in format syslog-YYYY.MM.dd
I am trying to create a index pattern using date math,that matches all indexes over the 30days
This following does not seem to give the desired results
#GET <syslog-{now/M-1M{YYYY.MM}}*>
Can someone please help me with the write index pattern for the last 30 days??
Hi there,
Elasticsearch does support date math in index names: https://www.elastic.co/guide/en/elasticsearch/reference/current/date-math-index-names.html. However, this will only resolve to a single index name and not an index pattern which is what you want. So if you want to query across the last 3 days, you'd need to do something like this:
# GET /<syslog-{now/d-2d}>,<syslog-{now/d-1d}>,<syslog-{now/d}>/_search
You could also create an alias to point to these indices, which makes things a little more abstract for you.
Probably your best option is to just define your index pattern with a wildcard (syslog-*) and then use the timepicker in Kibana to define the time range you want. It's trivial to define a time range of the last 30 days using this method, and Elasticsearch will try to be efficient in skipping the older indices.
Hope this helps,
CJ
Hi
Thanks for your reply.
Actually I have to do this without using timepicker.Also as i want to restrict the indices to the last 30 days
The above will not be feasible in my case.Isn't there any consolidated way of writing the index patter,that does not involve listing down the index for each day?
Also as per my understanding my index pattern i.e
GET <syslog-{now/M-1M{[YYYY.MM]}}*>/_search
resolves to all indexes of the past month.(but not last 30 days) .Please correct me if I am wrong on this
No, there isn't a way to write an index pattern using date math which doesn't involve listing the index for each day.
To answer your second question, index patterns currently support either date math or wildcards, but not both. So the index pattern example you gave is not currently valid. You can follow this issue (https://github.com/elastic/elasticsearch/issues/23145) to track progress on this feature.
Thanks,
CJ
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.