Index pattern matching all non-system indices

We are running ES6 and have a number of indices:

  • other-%{+YYYY.MM.dd}
  • nginx-%{+YYYY.MM.dd}
  • haproxy-%{+YYYY.MM.dd}

We would like to have an index pattern matching all of these, but discovered that * also matches the system indices.

How can I write a pattern to match only what I want? Are there any other options available beyond a globbing wildcard?

You might be better off adding an alias, I don't think there is anything else what would allow this :slight_smile:

I see the aliases in the documentation, but I don't see of a way to have them created dynamically; it seems the aliases need to be created for each index.

The wildcard aliases are point-in-time, so they would also have to be updated daily (or as the index are created...)

It's kind of painful, but it seems the best option is to rename all user indices so they have a common prefix :cry:

You can add aliases via templates, ie on creation.
You could also use the _rollover API.

1 Like

We're already using templates so using aliases in the templates looks perfect for our use, thanks!

EDIT: we've modified our templates to accomodate the idea of "types" of logs as follows:

{
  "index_patterns": ["haproxy-access", "haproxy-access-*"],
  "aliases": {
    "alllogs-{index}": {},
    "weblogs-{index}": {}
  },
...
}
{
  "index_patterns": ["postfix", "postfix-*"],
  "aliases": {
    "alllogs-{index}": {}
  },
...
}

hi .. hope this is the place to ask questions about Kibana.

I am new to Kibana and so far I have enjoyed playing around with it.

Could su help me out with the following..

If I have a numeric value in a doc eg.. the age of a person.
Is there some way in Kibana that I could show the average age for the
results of my query?

This would be appropriate as a new topic, not a reply to an existing topic.

But, if you're looking to experiment with visualization in Kibana I just wrote a blog post on some examples of how to get started with that:

1 Like

Awesome, think you could rename it to Elastic Stack? :wink:

Ah, I see you're rebranding it! OK.

Please start your own thread.

1 Like

ok thank u:slightly_smiling_face:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.