Searching for time-based data
The peculiar nature of querying time-based data is that, it's mostly time oriented. In most of the queries, there would be a definite time range mostly pointing to the recent data. Let's see how we can take advantage of this in searching.
In the previous section, we saw how to make custom indices for time-based data using templates and how to override the settings and mappings. The most important application, as we saw in the preceding section, is the modeling of indices of our interests for querying. This means that, we can select specific indices from our entire pool of time-based indices and do operations on a selected few.
Suppose that we have a number of logstash
indices named after the week that they were created in. So, in effect for a year, say 2014, there would be a total of 52 indices. Assume that we also created the indices' name in the format logstash-YYYY-WW
, that is, the year-week number format. So, a sample index would have the name logstash-2014...