Is there a way to get all doc ID's from an index for a specified time range?

aidenosi · June 14, 2021, 6:18pm

Hello,

We recently had an issue that caused one of our servers to report as "down" to heartbeat even though it was up. This caused us to have 3 days of "downtime" in our metrics. We want to fix this by going through and changing all the monitor.status:down to up.

Is there a way to get all of the document ID's from an index over a certain time range? From what I'm seeing in the API, the only way to GET a document is with the ID. If there a way to get all the IDs from the time range we are looking at, we could go through them each and update the monitor.status.

Thanks!

aidenosi · June 14, 2021, 7:48pm

I now have the below query which returns all of the documents I require:

{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "monitor.name": "<name>"
          }
        },
        {
          "match": {
            "monitor.status": "down"
          }
        },
        {
          "range": { "@timestamp": {"gte": "2020", "lte": "2021"} }
        }
      ]
    }
  }
}

Is there a way to filter this through the API to return just the ID's?

dadoonet · June 14, 2021, 8:27pm

I think this page could help. Retrieve selected fields from a search | Elasticsearch Guide [7.13] | Elastic

aidenosi · June 15, 2021, 5:34pm

Thanks David, I've modified it again and have this:

GET _search
{
  "from": 0, "size": 10000,
  "query": {
    "bool": {
      "must": {
        "match_all": {}
      },
      "filter": [
        {
          "match": {
            "monitor.name": "<name>"
          }
        },
        {
          "match": {
            "monitor.status": "down"
          }
        },
        {
          "range": { "@timestamp": {"gte": "2021-05-28", "lte": "2021-05-29"} }
        }
      ]
    }
  },
  "stored_fields": ["_id"]
}

However, my results look like this:

{
        "_index" : "devops-healthchecks",
        "_type" : "doc",
        "_id" : "g0HatHkBcgMRSH0wiTnx",
        "_score" : 1.0
      },

Is there a way to get just the ID's? Or some way to output this to a CSV? As I'll need a list of the ID's to query. I could parse the result in Python but I'd like to save myself some work if possible.

system · July 13, 2021, 5:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.