WARNING: Version 2.4 of Elasticsearch has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Date math support in index names
editDate math support in index names
editDate math index name resolution enables you to search a range of time-series indices, rather than searching all of your time-series indices and filtering the results or maintaining aliases. Limiting the number of indices that are searched reduces the load on the cluster and improves execution performance. For example, if you are searching for errors in your daily logs, you can use a date math name template to restrict the search to the past two days.
Almost all APIs that have an index
parameter, support date math in the index
parameter
value.
A date math index name takes the following form:
<static_name{date_math_expr{date_format|time_zone}}>
Where:
|
is the static text part of the name |
|
is a dynamic date math expression that computes the date dynamically |
|
is the optional format in which the computed date should be rendered. Defaults to |
|
is the optional time zone . Defaults to |
You must enclose date math index name expressions within angle brackets. For example:
curl -XGET 'localhost:9200/<logstash-{now%2Fd-2d}>/_search' { "query" : { ... } }
The /
used for date rounding must be url encoded as %2F
in any url.
The following example shows different forms of date math index names and the final index names they resolve to given the current time is 22nd March 2024 noon utc.
Expression | Resolves to |
---|---|
|
|
|
|
|
|
|
|
|
|
To use the characters {
and }
in the static part of an index name template, escape them
with a backslash \
, for example:
-
<elastic\{ON\}-{now/M}>
resolves toelastic{ON}-2024.03.01
The following example shows a search request that searches the Logstash indices for the past
three days, assuming the indices use the default Logstash index name format,
logstash-YYYY.MM.dd
.
curl -XGET 'localhost:9200/<logstash-{now%2Fd-2d}>,<logstash-{now%2Fd-1d}>,<logstash-{now%2Fd}>/_search' { "query" : { ... } }