Search for a field across multiple indices

Hi All,

We have ELK 7.6.2 stack running with number of indices in place.

One of the fields in the indices is called requestID which has a unique value e.g. 1-01-TV-PCVEFOW6JXMZSMEVUZBWXPWRFFMPEIG10411767701@1-21506255#10

I want to search across "all" indices for the value mentioned above and fetch complete data related to the field. All the indices have a common prefix (prod_tv*)

Is there a way I could do this?

Thanks

7.6 is very old and is EOL, please upgrade ASAP.

You can use Multi-target syntax | Elasticsearch Guide [7.15] | Elastic for that.

Thanks. Is there an example of multi target syntax being used somewhere? Is the query run through Dev tools?

Also please provide link to upgrade from 7.6 to 7.15

Thank you

Not directly, but just replace any instance of a single index name with something that matches that docs page. You can do it in Dev tools, yep.

Hi Mark. Sorry I am a little confused.

So I have different indices running in the env. Their names are e.g prod_tv_A1*, prod_tv_B1, prod_tv_C1, prod_tv_C2

How would I be able to query for a unique field named "requestID" in all the indices above using 7.15?

Also if I upgrade to 7.15 from 7.6.2, do I also need to upgrade the Filebeat, Logstash and Kibana to the same version?

Thanks

You can do that on any version of Elasticsearch.

The recommendation to upgrade is a different matter to your question, but it's something you should look at.

You can also create an alias in those indices and query using the alias name.

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": "prod_tv_*",
        "alias": "prod_tv"
      }
    }
  ]
}

A query against prod_tv will query all the indices with this alias.

Thanks. After creating alias how do I query for a field named “requestID” and view all fields relevant to that requestID ?

Hi All,

In my case the value 1-01-TV-PCVEFOW6JXMZSMEVUZBWXPWRFFMPEIG10411767701@1-21506255#10 appears in "two" indices one being prod_tv_web_tmkt_access* and the other as prod_tv_tlite_access* and is presented as "requestID" in one and "refID" in the second :frowning: .

Now if in the dev tools I put the following, it returns the occurence along with lot of unrealted info:

GET /prod_tv_*/_search?q=requestId:1-01-TV-PCVEFOW6JXMZSMEVUZBWXPWRFFMPEIG10411767701@1-21506255#10

Please let me know if my approach is correct and if there is a way I could add 'OR' to make it look like below. Also I need to get rid of the unrelated info:

GET /prod_tv_*/_search?q=<requestId OR refID>:1-01-TV-PCVEFOW6JXMZSMEVUZBWXPWRFFMPEIG10411767701@1-21506255#10

Additionally I am unable to make use of the Multi-Target syntax in this scenario. Any help would be appreicated.

Thanks

Found the solution. Following works:

GET /_all/_search
{
  "query": {
    "simple_query_string" : {
        "query": "1-01-TV-PCVEFOW6JXMZSMEVUZBWXPWRFFMPEIG10411767701@1-21506255#10",
        "fields": ["requestId", "RefID"],
        "default_operator": "and"
    }
  }
}