Home > Enterprise >  How to search data of last 30 days with elasticsearch alias
How to search data of last 30 days with elasticsearch alias

Time:03-21

I am using elastic search as a events data storage. I have created an alias with rotation of 30 days, total retention period of event will be 2 year, so I will have total Index 24.

I want to limit the scope of data according to query time period, like if I have to search data for last 30 days then It should max 2 Index for search rather than all 24 Index

CodePudding user response:

Filtered alias to the rescue!! You can define an alias over all indices with a filter to only query the last 30 days, like this:

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": "my-index-*",
        "alias": "my-alias",
        "filter": {
          "bool": {
            "filter": [
              {
                "range": {
                  "@timestamp": {
                    "gte": "now-30d/d"
                  }
                }
              }
            ]
          }
        }
      }
    }
  ]
}

Then, when searching over my-alias you only query the last 30 days of data, whatever the number of indices that the alias spans.

CodePudding user response:

You can use bool query with must and filter clause. This will query only last 30 days data from your alias or index.

{
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        }
      ],
      "filter": [
        {
          "range": {
            "timestamp": {
              "gte": "now-30d/d"
            }
          }
        }
      ]
    }
  }
}

Page link:https//www.codepudding.com/Enterprise/342777.html

Prev:Access Object1 methods from a returned Object
Next:How to update Fluentd daemonset in Kubernetes
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding