For example, when I search log data on the discover page, then the browser POST the following request to kibana server,
POST /elasticsearch/_msearch
{"index":["logstash*"],"ignore_unavailable":true,"preference":1523174909784}
{......}
In the above example, why the index pattern "logstash*" is included in a square bracket? Are there any possibilities to have multiple index patterns in one search request? If not, then why put it in a square bracket? Please kindly correct me if I missed anything. Thanks.
You know, square bracket means an array of items. So it doesn't make sense to get the index name included in square bracket if kibana doesn't let user to send multiple index patterns in the same search.
You can actually search multiple indices in Discover, but only a single index pattern (which accesses multiple indices).
The common case is something like logstash-* which searches multiple time-based indices.
You should also be able to create index patterns like logstash1-*, logstash2-* (comma-separated list of index names). But there's a bug in some releases of Kibana which doesn't let you create this index pattern. But Discover is probably using that [ ] syntax for that reason.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.