Elasticsearchquery~10 mins

Index patterns for time-series in Elasticsearch - Step-by-Step Execution

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Concept Flow - Index patterns for time-series

Start: Time-series data arrives

↓

Create index pattern with date wildcard

↓

Elasticsearch matches indices by pattern

↓

Query runs on matched indices

↓

Results returned for time range

↓

End

Data arrives continuously. We create an index pattern using date wildcards. Elasticsearch matches indices by this pattern. Queries run on matched indices and return results.

Execution Sample

Elasticsearch

GET /logs-2023.06.*/_search
{
  "query": { "range": { "@timestamp": { "gte": "2023-06-01", "lt": "2023-07-01" } } }
}

This query searches all indices starting with 'logs-2023.06.' for documents in June 2023.

Execution Table

Step	Action	Index Pattern Used	Indices Matched	Query Time Range	Result
1	Receive query	logs-2023.06.*	logs-2023.06.01, logs-2023.06.02, ..., logs-2023.06.30	2023-06-01 to 2023-07-01	Ready to search
2	Elasticsearch matches indices	logs-2023.06.*	logs-2023.06.01, logs-2023.06.02, ..., logs-2023.06.30	2023-06-01 to 2023-07-01	Indices matched successfully
3	Run query on matched indices	logs-2023.06.*	logs-2023.06.01, logs-2023.06.02, ..., logs-2023.06.30	2023-06-01 to 2023-07-01	Documents in June returned
4	Return results	logs-2023.06.*	logs-2023.06.01, logs-2023.06.02, ..., logs-2023.06.30	2023-06-01 to 2023-07-01	Results sent to user

💡 Query completes after searching all indices matching the pattern for the specified time range.

Variable Tracker

Variable	Start	After Step 1	After Step 2	After Step 3	Final
Index Pattern	logs-2023.06.*	logs-2023.06.*	logs-2023.06.*	logs-2023.06.*	logs-2023.06.*
Matched Indices	none	none	logs-2023.06.01, logs-2023.06.02, ..., logs-2023.06.30	logs-2023.06.01, logs-2023.06.02, ..., logs-2023.06.30	logs-2023.06.01, logs-2023.06.02, ..., logs-2023.06.30
Query Time Range	none	2023-06-01 to 2023-07-01	2023-06-01 to 2023-07-01	2023-06-01 to 2023-07-01	2023-06-01 to 2023-07-01
Results	none	none	none	Documents in June returned	Documents in June returned

Key Moments - 3 Insights

Why do we use a wildcard like 'logs-2023.06.*' instead of a single index name?

What happens if the query time range does not match any indices?

Can the index pattern include multiple months or years?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table at Step 2, which indices are matched by the pattern 'logs-2023.06.*'?

Alogs-2023.06.01 to logs-2023.06.30

Blogs-2023.05.01 to logs-2023.05.31

Clogs-2022.06.01 to logs-2022.06.30

Dlogs-2023.07.01 to logs-2023.07.31

Concept Snapshot

Index patterns use wildcards to match multiple time-series indices.
Example: logs-2023.06.* matches all June 2023 daily indices.
Queries run on matched indices for the requested time range.
This approach efficiently handles large time-series data.
Adjust patterns to cover desired date ranges.

Full Transcript

This visual execution shows how Elasticsearch uses index patterns with wildcards to query time-series data. Data is stored in daily indices named with dates. A pattern like 'logs-2023.06.*' matches all indices for June 2023. When a query runs with a time range, Elasticsearch finds all indices matching the pattern and searches them. Results from all matched indices are combined and returned. Variables like 'Index Pattern', 'Matched Indices', 'Query Time Range', and 'Results' change step-by-step as the query executes. Key points include why wildcards are used, what happens if no indices match, and how to adjust patterns for different date ranges. The quiz tests understanding of matched indices and results at different steps.