What is Index patterns for time-series in Elasticsearch?

Elasticsearchquery~5 mins

Index patterns for time-series in Elasticsearch

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Index patterns help you organize and search time-based data easily. They let you find data from many time-stamped indexes quickly.

You collect daily logs and want to search across many days.

You monitor system metrics stored in monthly indexes.

You analyze sales data that is saved by week.

You want to visualize trends over time in a dashboard.

You need to filter data by date ranges efficiently.

Syntax

Elasticsearch

PUT /_index_template/template_name
{
  "index_patterns": ["pattern*"],
  "template": {
    "settings": { ... },
    "mappings": { ... }
  }
}

Use wildcards (*) to match multiple indexes by date or name.

Index patterns often include date parts like 'logs-2023.06.*' to cover all June 2023 indexes.

Examples

This creates a template for all logs indexes from June 2023. It sets one shard and defines the timestamp and message fields.

Elasticsearch

PUT /_index_template/logs_template
{
  "index_patterns": ["logs-2023.06.*"],
  "template": {
    "settings": {
      "number_of_shards": 1
    },
    "mappings": {
      "properties": {
        "timestamp": {"type": "date"},
        "message": {"type": "text"}
      }
    }
  }
}

This searches all metrics indexes for June 2023 using the index pattern with a date range filter.

Elasticsearch

GET /metrics-2023.06.*/_search
{
  "query": {
    "range": {
      "timestamp": {
        "gte": "2023-06-01",
        "lt": "2023-07-01"
      }
    }
  }
}

Sample Program

This creates an index template for all 2023 event indexes with two shards and defines event_time and event_type fields. Then it searches all events on June 15, 2023.

Elasticsearch

PUT /_index_template/my_timeseries_template
{
  "index_patterns": ["events-2023.*"],
  "template": {
    "settings": {
      "number_of_shards": 2
    },
    "mappings": {
      "properties": {
        "event_time": {"type": "date"},
        "event_type": {"type": "keyword"}
      }
    }
  }
}

GET /events-2023.06.15/_search
{
  "query": {
    "match_all": {}
  }
}

OutputSuccess

Important Notes

Index patterns use wildcards (*) to match multiple indexes easily.

Templates help keep settings and mappings consistent for new time-series indexes.

Using date parts in index names helps organize data by time.

Summary

Index patterns group many time-based indexes for easy searching.

Templates define how these indexes are created and structured.

Use wildcards and date formats to match the right indexes.