Date math support in index namesedit
Date math index name resolution enables you to search a range of time-series indices, rather than searching all of your time-series indices and filtering the results or maintaining aliases. Limiting the number of indices that are searched reduces the load on the cluster and improves execution performance. For example, if you are searching for errors in your daily logs, you can use a date math name template to restrict the search to the past two days.
Almost all APIs that have an index
parameter support date math in the index
parameter
value.
A date math index name takes the following form:
<static_name{date_math_expr{date_format|time_zone}}>
Where:
|
is the static text part of the name |
|
is a dynamic date math expression that computes the date dynamically |
|
is the optional format in which the computed date should be rendered. Defaults to |
|
is the optional time zone. Defaults to |
Pay attention to the usage of small vs capital letters used in the date_format
. For example:
mm
denotes minute of hour, while MM
denotes month of year. Similarly hh
denotes the hour in the
1-12
range in combination with AM/PM
, while HH
denotes the hour in the 0-23
24-hour range.
Date math expressions are resolved locale-independent. Consequently, it is not possible to use any other calendars than the Gregorian calendar.
You must enclose date math index name expressions within angle brackets, and all special characters should be URI encoded. For example:
# GET /<logstash-{now/d}>/_search GET /%3Clogstash-%7Bnow%2Fd%7D%3E/_search { "query" : { "match": { "test": "data" } } }
Percent encoding of date math characters
The special characters used for date rounding must be URI encoded as follows:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following example shows different forms of date math index names and the final index names they resolve to given the current time is 22nd March 2024 noon utc.
Expression | Resolves to |
---|---|
|
|
|
|
|
|
|
|
|
|
To use the characters {
and }
in the static part of an index name template, escape them
with a backslash \
, for example:
-
<elastic\{ON\}-{now/M}>
resolves toelastic{ON}-2024.03.01
The following example shows a search request that searches the Logstash indices for the past
three days, assuming the indices use the default Logstash index name format,
logstash-yyyy.MM.dd
.
# GET /<logstash-{now/d-2d}>,<logstash-{now/d-1d}>,<logstash-{now/d}>/_search GET /%3Clogstash-%7Bnow%2Fd-2d%7D%3E%2C%3Clogstash-%7Bnow%2Fd-1d%7D%3E%2C%3Clogstash-%7Bnow%2Fd%7D%3E/_search { "query" : { "match": { "test": "data" } } }