Elasticsearch - administration¶

Everyday ES things

Check state¶

General state of cluster:

curl -s -XGET "http://192.168.0.30:32556/_cluster/health" | jq

List all indices, shards¶

## Indices - detail (remove ?v for less info)
$ curl -s -XGET 'http://192.168.0.30:32556/_cat/indices?v'

health status index                     uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana_1                 6HYJIJCOQOWBRAYvCtAqPw   1   0          4            0     30.1kb         30.1kb
yellow open   filebeat-6.5.4-2019.01.27 j_y0USKYTl2VjxT9Wi6rOw   3   1     377518            0     35.6mb         35.6mb
yellow open   filebeat-6.2.4-2019.01.27 Gf5eflbzRAy6z-paONPDGQ   3   1    1091605            0    212.9mb        212.9mb
yellow open   filebeat-6.2.4-2019.01.26 Ru6_plBUSVqqQDhCk2oZug   3   1     561850            0     68.7mb         68.7mb

## Shard info
$ curl -s -XGET 'http://192.168.0.30:32556/_cat/shards'
filebeat-6.5.4-2019.01.27 1 p STARTED    142637  13.4mb 192.168.193.107 elasticsearch-data-01
filebeat-6.5.4-2019.01.27 0 p STARTED    143259  13.4mb 192.168.193.107 elasticsearch-data-01
filebeat-6.2.4-2019.01.27 1 p STARTED    476177 100.8mb 192.168.193.107 elasticsearch-data-01
filebeat-6.2.4-2019.01.27 0 p STARTED    477858 100.8mb 192.168.193.107 elasticsearch-data-01
.kibana_1                 0 p STARTED         4  30.1kb 192.168.193.107 elasticsearch-data-01

Delete from elasticsearch¶

Delete indice¶

Delete an entire indice (can use wildcard)

curl -XDELETE -H'Content-Type: application/json' "http://192.168.0.30:32556/filebeat-6.2*"

Delete based on search¶

Delete search

search¶

Do a simple search

curl -XGET "http://192.168.0.30:32556/filebeat-*/_search?_source=@timestamp,beat.timezone"

Ingestors¶

curl -XGET "http://192.168.0.30:32556/_ingest/pipeline/file*syslog*"

Change existing indice settings¶

Easist to use Dev Tools from kibana to do this - find the settings for the index you’re looking for - like:

GET /filebeat-*/_settings

Then change the settings to reflect new values (here updating default filebeat refersh interval from 5s -> 600s and change replica count from 1 -> 0 (this is a single node test cluster))

PUT /filebeat-*/_settings
{
  "index" : {
    "refresh_interval" : "600s",
    "number_of_replicas" : "0"
  }
}

Change template settings¶

The above is for existing indices - to change the settings going forward first find the template in question:

GET /_template/filebeat-6.5.4

For filebeat-6.5.4 it is pretty huge; like 3000 lines+

Copy from below the name of the template (so skip the very top line of "filebeat-6.5.4": { … copy all the text.

Then update like:

PUT /_template/filebeat-6.5.4
    "order" : 1,
    "index_patterns" : [
      "filebeat-6.5.4-*"
    ],
    "settings" : {
      "index" : {
        "mapping" : {
          "total_fields" : {
            "limit" : "10000"
          }
        },
        "refresh_interval" : "300s",
        "number_of_routing_shards" : "30",
        "number_of_shards" : "1"
      }
    },
    "mappings" : {
[ ... ]