Dot prefix in index name gives me an error (?)

Elastic Stack Elasticsearch
1

Hey guys,

I've a quick question about a behavior of elasticsearch indexes.

So, I use logstash to import data into my AWS elasticsearch cluster.

When I create a normal index and insert, lets say, 10 rows, everything works fine. docs.count tells me that I have 10 rows, _search request works like normal, everything is fine.

When I do the exact same insert, but prefix the index name by a dot ".", it seems like it's working, but now my docs.count tell me 0. And when I try to GET _search the data, I've nothing inserted. (hits.total : 0)

Why does that happens ? I didn't find anything special on the internet about prefixing the index name by a ".".

Thank you !

2

I believe dot prefixed indices are assumed to be internal system indices, e.g. .kibana, which may explain why there are restrictions on them.

3

What @Christian_Dahlqvist says is right, Elasticsearch generally uses dot-prefixed index names to distinguish "internal" from "external" indices. It's probably best to avoid dot-prefixed names for your own indices.

However, I do not think they behave specially in this regard:

$ curl 'http://localhost:9200/.i/_bulk?pretty' -H 'Content-type: application/x-ndjson' --data-binary $'{"index":{}}\n{}\n{"index":{}}\n{}\n'
{
  "took" : 286,
  "errors" : false,
  "items" : [
    {
      "index" : {
        "_index" : ".i",
        "_type" : "_doc",
        "_id" : "PZwcsGoB1z9Opyf6E_C4",
        "_version" : 1,
        "result" : "created",
        "_shards" : {
          "total" : 2,
          "successful" : 1,
          "failed" : 0
        },
        "_seq_no" : 0,
        "_primary_term" : 1,
        "status" : 201
      }
    },
    {
      "index" : {
        "_index" : ".i",
        "_type" : "_doc",
        "_id" : "PpwcsGoB1z9Opyf6E_C4",
        "_version" : 1,
        "result" : "created",
        "_shards" : {
          "total" : 2,
          "successful" : 1,
          "failed" : 0
        },
        "_seq_no" : 1,
        "_primary_term" : 1,
        "status" : 201
      }
    }
  ]
}
$ curl 'http://localhost:9200/_cat/shards?v'
index shard prirep state      docs store ip        node
.i    0     p      STARTED       2 2.5kb 127.0.0.1 node-0
.i    0     r      UNASSIGNED

All indices will report that they contain no documents until they are first refreshed. Normally a refresh happens automatically after some time, but it might be disabled by a template that sets refresh_interval to -1. Are you sure that the index still looks empty after a refresh?

4

Thank you !

So I kept digging, and I actually made had a mistake in my .conf file and forgot to prefix my index name..

But as you said, I'll avoid to prefix an index with a dot.