How does timestamp range work with wildcard index?

Elena_K · March 29, 2024, 10:52am

I'm trying to understand how search with a timestamp range works and whether I should use a specific index to make the search faster or if I can use a wildcard. The performance test didn't show any difference.

So I have a wildcard index 1p-minus-system-* and it contains all the date indexes like

1p-minus-system-app-2024-03-27
1p-minus-system-web-2024-03-27
1p-minus-system-app-2024-03-26
1p-minus-system-web-2024-03-26
...

And I try to make a search for the last 10 minutes with the query

{
  "query": {
      "bool": {
          "must": [
              {"match_phrase": {"context.worker": psp}},
              {"range": {"@timestamp": {"gte": "now-10m/m", "lte": "now/m"}}},
          ],
      },
  },
  "_source": ["datetime.date", "context.operation_id", "context.worker", "short_message"],
  "sort": [
      {"@timestamp": {"order": "asc"}}
  ],
}

Christian_Dahlqvist · March 29, 2024, 5:48pm

Using a wildcard to match all indices is fine as querying an index that does not contain any documents matching the timestamp is very quick. This used to be expensive, which required various types of workarounds, but that is no longer the case.

system · April 26, 2024, 5:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.