GET /lb-2026.04/_search
{
"size": 10000,
"aggs": {
"last_entry": {
"max": {
"field": "@timestamp"
}
}
}
}
I want to retrieve all latest timestamp documents from Index lb-2026.04 but number of documents are exceeding from 10K they are approximately 15K. Is there a way to achieve this in a single request??
Welcome to the forum @Cdotisp_Delhi !!
I replied too quickly, not reading the question carefully. Sorry for this.
Your question's wording is slightly ambiguous:
Are you saying you have maybe 15K documents all with the same "max" value of @timestamp from the index? That wasn't my first reading, seems unlikely, but maybe that is what you want?
And please note the size parameter is not relevant to the max aggregation you included, the max aggregation is applied to all matching documents anyways, in your case all documents in the index.
If you want just more results returned, the simplest way is to use index.max_result_window, increasing from default 10,000.
PUT lb-2026.04/_settings
{
"index.max_result_window": 20000
}
then you can query that index with size parameter up to 20000. But the default is 10K for a reason, please don't increase too much without some thought.
So also ask yourself if you really need all the results in one request? What if result set is not 15K, rather 150K or 1.5M results?
The official docs suggest the more correct solution would be to use scroll or search_after, and get all docs in chunks. But if you just want a quick fix for today, increasing index.max_result_window is IMO easiest.
Thanks a lot Kevin, it worked, Kudos to you!!! Humans are more dependable than AI.
Hey
Glad you solved it but I'm reading again your question and I wanted to ask what do you mean by
I want to retrieve all latest timestamp documents from Index lb-2026.04
Do you want to get the last 10 documents for example?
In which case, you just need to use sort:
GET /lb-2026.04/_search
{
"sort" : [
{ "@timestamp" : {"order" : "desc"}
]
}
You can also get more documents with:
GET /lb-2026.04/_search
{
"size": 100,
"sort" : [
{ "@timestamp" : {"order" : "desc"}
]
}
Would that solve the question?
TBH: I don't like much modifying the index.max_result_window as it has consequences:
The maximum value of
from + sizefor searches to this index. Defaults to10000. Search requests take heap memory and time proportional tofrom + sizeand this limits that memory. See Scroll or Search After for a more efficient alternative to raising this.
Lets say the last timestamp documents were fetched to elasticsearch index (lb-2026.04) was: Apr 21 06:43 after that no documents were fetched at all , then i want all the documents that are fetched at Apr 21 06:43 , they may be 2k or 5k or 10k or 15k, that was my question
If your timestamps are at per-minute granularity then that would be a little bit unusual, in my experience?
I see you accepted a previous answer, but for that requirement you probably need 2 calls
One aggregation call to get the max value, and then one query to find all docs matching that specific value. And if you really have no idea at all how many docs would match, then calls using the scroll or search_after mechanisms would seem the best approach to me, rather than tweaking the max_result_window parameter.
You can also query all docs with returned docs sorted on @timestamp as per @dadoonet , and let client pick out those that match the value of the first doc returned, but a priori you won’t know how many that will be. If it’s more than current value of max_result_window you would need to make multiple calls anyway.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.