How does timestamp range work with wildcard index?

Elena_K · March 29, 2024, 10:52am

I'm trying to understand how search with a timestamp range works and whether I should use a specific index to make the search faster or if I can use a wildcard. The performance test didn't show any difference.

So I have a wildcard index 1p-minus-system-* and it contains all the date indexes like

1p-minus-system-app-2024-03-27
1p-minus-system-web-2024-03-27
1p-minus-system-app-2024-03-26
1p-minus-system-web-2024-03-26
...

And I try to make a search for the last 10 minutes with the query

{
  "query": {
      "bool": {
          "must": [
              {"match_phrase": {"context.worker": psp}},
              {"range": {"@timestamp": {"gte": "now-10m/m", "lte": "now/m"}}},
          ],
      },
  },
  "_source": ["datetime.date", "context.operation_id", "context.worker", "short_message"],
  "sort": [
      {"@timestamp": {"order": "asc"}}
  ],
}

Christian_Dahlqvist · March 29, 2024, 5:48pm

Using a wildcard to match all indices is fine as querying an index that does not contain any documents matching the timestamp is very quick. This used to be expensive, which required various types of workarounds, but that is no longer the case.

system · April 26, 2024, 5:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Time based indices query strategy Elasticsearch	7	491	January 27, 2019
Indexing and range querying with _timestamp (is there an example?) Elasticsearch	5	401	July 6, 2017
Wildcard queries on date based indexes, searches all indexes? Elasticsearch	1	386	September 4, 2019
Struggling with date ranges Elasticsearch	1	348	September 3, 2018
Filtering by Range Elasticsearch	5	6709	January 26, 2018

How does timestamp range work with wildcard index?

Related topics