How to select data from multiple indicess

rohitarorait82 · August 20, 2020, 1:09pm

Hi Everyone,

I am new to ELK stack, and I am facing an issue with searching data from multiple indices in single query.

I am able to do this from Dev tool but not from Discover or visualization. Can anyone please help me on this.

aaron-nimocks · August 20, 2020, 1:20pm

Create an index pattern in Management -> Index Patterns. Then you can use that in Discover and Visualizations. Use index-xxx* type format to cover multiple indexes.

rohitarorait82 · August 20, 2020, 1:32pm

Thanks @aaron-nimocks , but I think that will create a single index pattern and all the data will be there in single index only and it might impact the performance as well, and also if I want to generate report from one of the index that will also not be possible.

is there something like join(as we have in sql) to select from multiple indexes

Please suggest.

aaron-nimocks · August 20, 2020, 1:34pm

Can you give an example of the dev tools query you are using to get the result you want?

rohitarorait82 · August 20, 2020, 1:43pm

Hi @aaron-nimocks , below is the query which I got from inspect of visualization

{
"aggs": {
"2": {
"terms": {
"field": "SERVICE_NAME.keyword",
"order": {
"_count": "desc"
},
"size": 500
},
"aggs": {
"3": {
"terms": {
"field": "CHANNEL_NAME.keyword",
"order": {
"_count": "desc"
},
"size": 50
}
}
}
}
},
"size": 0,
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"_source": {
"excludes":
},
"query": {
"bool": {
"must": ,
"filter": [
{
"match_all": {}
},
{
"range": {
"@timestamp": {
"gte": "2020-08-19T13:38:15.991Z",
"lte": "2020-08-20T13:38:15.992Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": ,
"must_not":
}
}
}

Below , is the query which I am using from Devtool
GET */_search" "size" :0, "aggs": { "2": { "terms": { "field": "SERVICE_NAME.keyword", "order": { "1": "desc" }, "size": 500 }, "aggs": { "1": { "cardinality": { "field": "CORREL.keyword" } }, "3": { "terms": { "field": "CHANNEL_NAME.keyword", "order": { "1": "desc" }, "size": 50 }, "aggs": { "1": { "cardinality": { "field": "CORREL.keyword" } } } } } } }, "query": { "bool": { "filter": [ { "range": { "@timestamp": { "gte": "2020-07-11T18:30:00.000Z", "lte": "2020-07-12T18:30:00.000Z", "format": "strict_date_optional_time" } } } ] } }}'

From Dev tool, I am able to get data from multiple Indexes, but from there we are not able to get data in excel format. From Visualization, I am able to get data in excel but there is no way to get it from multiple indexes

aaron-nimocks · August 20, 2020, 1:56pm

Is the ultimate goal to run an aggregation across multiple indexes and then export the result to excel?

rohitarorait82 · August 20, 2020, 2:09pm

@aaron-nimocks : Yes, sometimes , we need to fetch data from multiple indexes using some correlation id in Discover.

However when we are generating reports then we are focused on getting it from single index.

Thanks!!

rohitarorait82 · August 27, 2020, 8:04am

I am using alias for this purpose .. Thanks

system · September 24, 2020, 8:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.