Commonly Used Commands in Elasticsearch
Direct modification of data in production environments is never recommended.
Any operation or configuration change planned for a production environment must first be tested in a dedicated test environment, and a full system backup should always be taken beforehand.
Checking Indexes
Check Document Count
curl -X GET "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_doc/_count"
BASH
Check Index with Where Clause
curl -X GET "<ELASTICSEARCH_IP>:9200/*/_search?pretty=true&q=apn:KPS+XYS"
CODE
curl -X GET "<ELASTICSEARCH_IP>:9200/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{
"match": {
"apn": "TEST KPS GW"
}
},
{
"range": {
"@timestamp": {
"gte": "now-7d/d",
"lt": "now-5d/d"
}}}]}}}'
CODE
curl -X GET "<ELASTICSEARCH_IP>:9200/_search?pretty" -H 'Content-Type: application/json' -d' {
"script_fields": {
"content_type": {
"script": {
"lang": "painless",
"source": "if (params._source == null || params._source.tch == null) return null; for (def h : params._source.tch) { if (h.k == 'Content-Type') return h; } return null;"
}
}
}
}
'
CODE
Finding Requests That Have the Different CID From Response
curl --location --request GET 'http://<ELASTICSEARCH_IP>:9200/_search' --data-raw '{
"query": {
"bool": {
"filter": [
{
"script": {
"script": {
"lang": "painless",
"source": "doc.containsKey('aci.keyword') != doc.containsKey('fbarh[1].keyword')"
}
}
},
{
"range":{
"@timestamp":{
"gte":"2025-11-28T16:30:32.000Z"
}
}
}
]
}
}
}'
CODE
Finding Request on Specific Interval
curl --location --request GET '<ELASTICSEARCH_IP>:9200/_search' --data-raw '{
"query":{
"bool":{
"filter":[
{
"match":{
"apn":"Test GW"
}
},
{
"range":{
"@timestamp":{
"gte":"2025-11-04T09:36:00.183Z",
"lte":"2025-11-04T12:36:00.183Z"
}
}
}
]
}
},
"aggs":{
"reqs_over_time":{
"date_histogram":{
"field": "@timestamp",
"fixed_interval": "6s"
}
}
}
}'
CODE
Find Documents by Correlation ID
curl -X GET "<ELASTICSEARCH_IP>:9200/_search?pretty" -H 'Content-Type: application/json' -d' { "query" : { "match":{ "aci": "c3d8523e-e3ac-497b-ac7a-76853198c239" }}}'
BASH
Delete by Index Name
curl -X DELETE "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>"
BASH
Deleting Indexes with Given Word
curl -X DELETE "<ELASTICSEARCH_IP>:9200/*metric*"
BASH
Changing Elasticsearch Cluster's Read_Only Status
curl -X PUT "<ELASTICSEARCH_IP>:9200/_all/_settings?wait_for_completion=false" -H "Content-Type: application/json" -d'
{
"index.blocks.read_only_allow_delete": null,
"index.blocks.write": null
}'
BASH
For only one index:
curl -X PUT "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_settings?pretty" -H 'Content-Type: application/json' -d'
{
"index.blocks.read_only_allow_delete": null,
"index.blocks.write": null
}'
BASH
Switching to New Index with Rollover
http://<ELASTICSEARCH_IP>:9200/apinizer-log-apiproxy-<INDEX_KEY>/_rollover
BASH
Search
Search Documents on Specific Index
curl -X GET "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_search?pretty=true&q=*:*"
BASH
Search Documents on Index with Criteria
curl -X GET "<ELASTICSEARCH_IP>:9200/*/_search?pretty=true&q=apiProxyName:Petstore+API"
BASH
Search Documents by Interval
curl --location --request GET '<ELASTICSEARCH_IP>:9200/_search' --data-raw '{
"query":{
"bool":{
"must":[
{
"match":{
"apn": "Test GW"
}
},
{
"range":{
"@timestamp":{
"gte":"now-5M/M",
"lte":"now/d"
}
}
}
]
}
}
}'
BASH
Search with Conditions and Aggregating the Results
curl --location --request GET 'http://<ELASTICSEARCH_IP>:9200/_search' --data-raw '
{
"query":{
"bool":{
"filter":[
{
"match": {
"apn":"Test GW"
}
},
{
"range":{
"@timestamp":{
"gte":"2025-12-28T15:08:00.000Z",
"lte":"2025-12-30T15:08:00.000Z"
}
}
}
]
}
},
"aggs": {
"reqs_over_time":{
"date_histogram":{
"field":"@timestamp",
"fixed_interval":"10s"
}
}
}
}'
BASH
Finding the Number of Requests Made by Each Authorized User to Each API Proxy in the Last Day
curl -X GET "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_search?pretty" -H 'Content-Type: application/json' -d'
{
"size": 0,
"query": {
"range": {
"@timestamp": {
"gte": "now/d",
"lt": "now+1d/d"
}
}
},
"aggs": {
"by_uok": {
"terms": { "field": "uok", "size": 1000 },
"aggs": {
"by_apn": {
"terms": {
"field": "apn",
"size": 1000,
"missing": "NotARegisteredApiProxy"
}
}
}
}
}
}
BASH
Update
Update Document
curl -X PUT "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/doc/1?pretty&pretty" -H 'Content-Type: application/json' -d'
{
"name": "John Doe"
}'
BASH
Deleting Some Key and Values
curl -X POST "<ELASTICSEARCH_IP>:9200/_update_by_query?pretty" -H 'Content-Type: application/json' -d'
{
"script" :
"ctx._source.headerRequestFromClient.remove('header-name-1');
ctx._source.headerRequestToTarget.remove('header-name-2');",
"query": { "match_all": {} }
}
BASH
Deleting Specific Values by Criteria
curl -X POST "<ELASTICSEARCH_IP>:9200/*/_update_by_query?pretty&conflicts=proceed&requests_per_second=200" -H 'Content-Type: application/json' -d'
{
"query": {
"bool" : {
"filter": {
"exists": {
"field": "headerRequestFromClient.user_username"
}
},
"must_not" : {
"term": {
"headerRequestFromClient.user_password": ""
}
}
}
},
"script": "ctx._source.headerRequestFromClient.remove(\"user_password\");"
}
BASH
- Execution Reject error will be prevented by requests_per_second key's value.
- Batch Size is 1000 by default. Waiting time between two request is set by giving 5 (=1000/200)
http://<ELASTICSEARCH_IP>:9200/*/_update_by_query?conflicts=proceed&wait_for_completion=true
{
"script": {
"inline":
"ctx._source.remove('apiGatewayApiMethodId');
ctx._source.remove('tbah');
ctx._source.remove('tba');
ctx._source.remove('fbarh');
ctx._source.remove('fbarb');
ctx._source.remove('paramRequestToTarget');",
"lang": "painless"
},
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "2019-02-01T20:03:12.963",
"lte": "2019-04-30T20:03:12.963"
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
}
}
BASH
Deleting Response Body Fields from Logs of a Rest Endpoint
This endpoint must be defined as an openapi or no-spec type API proxy. If there is another API Proxy with that endpoint, API Proxy name must also be filtered.
curl --location --request POST 'http://<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_update_by_query?pretty' --header 'Content-Type:application/json' --data-raw '{
"script": {
"source": "ctx._source.remove('tcb');ctx._source.remove('fbarb')",
"lang": "painless"
},
"query": {
"term": {
"apmn": "/anApiProxyEndpoint"
}
}
}
'
BASH
Deleting Logs Up to a Specific Date
curl -X POST "<ELASTICSEARCH_IP>:9200/.ds-apinizer-log-apiproxy-<LOG_KEY>-000*/_update_by_query?pretty" -H 'Content-Type: application/json' -d '
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"lte": "2024-04-20T00:00:00.000Z"
}
}
}
]
}
},
"script": {
"source": "ctx._source.remove(\"tba\"); ctx._source.remove(\"fbarb\"); ctx._source.remove(\"tcb\")"
}
}'
BASH
To delete by api proxy id value instead of time range, "match": { "api": "64ac03067e8f7400cf4adbdd" } filter can be used instead of "range": { "@timestamp": { "lte": "2024-04-20T00:00:00.000Z" } } filter.
To examine the data structure of Elasticsearch and identify fields to be deleted, visit the following link: API Traffic Log Data Structure.
Setting Replica Number
curl -X PUT "<ELASTICSEARCH_IP>:9200/_template/<TEMPLATE_NAME>?pretty" -H 'Content-Type: application/json' -d' {
"index_patterns": ["apinizer-log-*", "apinizer-metric-*", "mongo-db-*"],
"data_stream": { },
"template": {
"settings": {
"index": {
"number_of_shards": 1,
"number_of_replicas": 0
}
}
},
"priority": 501
} '
BASH
curl -XPUT '<ELASTICSEARCH_IP>:9200/*/_settings' -H 'Content-Type: application/json' -d'
{
"index" : {
"number_of_replicas" : 0
}
}'
BASH
Shard Allocation
curl -X PUT "<ELASTICSEARCH_IP>:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
"transient" : {
"cluster.routing.allocation.enable" : "all"
}
}'
BASH
Shard Limit
http://<ELASTICSEARCH_IP>:9200/_cluster/settings
{
"persistent" : {
"cluster.routing.allocation.total_shards_per_node" : 2000 ,
"cluster.max_shards_per_node":2000
}
}
BASH
Changing Log Level
curl -X PUT "<ELASTICSEARCH_IP>:9200/_cluster/settings" -H 'Content-Type: application/json' -d'{"transient":{"logger._root":"DEBUG"}}'
curl -X PUT "<ELASTICSEARCH_IP>:9200/_cluster/settings" -H 'Content-Type: application/json' -d'{"transient":{"logger._root":"INFO"}}'
BASH
ShowLog Settings
curl -X PUT "<ELASTICSEARCH_IP>:9200/*log*/_settings?pretty" -H 'Content-Type: application/json' -d'
{
"index.search.slowlog.threshold.fetch.trace": "200ms",
"index.search.slowlog.threshold.query.trace": "200ms"
}'
BASH
Elasticsearch Shard and Replication Management
Enabling Shard Allocation:
curl -XPUT '<ELASTICSEARCH_IP>:9200/_cluster/settings' -d '{
"transient" : {
"cluster.routing.allocation.enable" : "all"
}
}' --header 'Content-Type:application/json'
BASH
Retrying Failed Shards:
curl -XPOST '<ELASTICSEARCH_IP>:9200/_cluster/reroute?retry_failed' --header 'Content-Type:application/json'
BASH
Get Cluster Allocation Description:
curl -XGET '<ELASTICSEARCH_IP>:9200/_cluster/allocation/explain?pretty'
BASH
Updating Index Replication Settings:
curl -XPUT '<ELASTICSEARCH_IP>:9200/_settings' -d '
{
"index" : {
"number_of_replicas" : 0
}
}' --header 'Content-Type:application/json'
BASH
Other
_cat APIs
curl -X GET "<ELASTICSEARCH_IP>:9200/_cat/indices/*?v&s=index&pretty"
curl -X GET "<ELASTICSEARCH_IP>:9200/_cat/thread_pool?v&h=id,node_name,ip,name,core,queue,rejected,completed,max"
BASH
_nodes APIs
curl -X GET "<ELASTICSEARCH_IP>:9200/_nodes/os?pretty"
curl -X GET "<ELASTICSEARCH_IP>:9200/_nodes/jvm?pretty"
curl -X GET "<ELASTICSEARCH_IP>:9200/_nodes/thread_pool?pretty"
curl -X GET "<ELASTICSEARCH_IP>:9200/_nodes/stats/process?filter_path=**.max_file_descriptors"
BASH
_cluster APIs
curl -X GET "<ELASTICSEARCH_IP>:9200/_cluster/stats?pretty"
curl -XGET '<ELASTICSEARCH_IP>:9200/_cluster/state?pretty=true' > result.json
BASH
Flush
curl -X POST "<ELASTICSEARCH_IP>:9200/*log*/_flush/synced?pretty"
BASH
Removing the Log Writing Barrier
curl -XPUT 'http://<ELASTICSEARCH_IP>:9200/*log*/_settings' -H 'Content-Type: application/json' -d'{"index": {"blocks": {"read_only_allow_delete": null}}}'
BASH
General Information About Snapshots
curl 'http://<ELASTICSEARCH_IP>:9200/_snapshot?pretty'
BASH
Repository and Snapshot Details
curl 'http://<ELASTICSEARCH_IP>:9200/_slm/policy/apinizer-slm-policy-<INDEX_KEY>?pretty'
BASH
Detailed Examination of the Repository and Snapshot Names Obtained from the Previous Command
curl -XGET "http://<ELASTICSEARCH_IP>:9200/_snapshot/apinizer-repository-<INDEX_KEY>/apinizer-snapshot-<INDEX_KEY>-2023.03.13-m33h8zcpq_if4swyzn0wrq?pretty"
curl -XGET "http://<ELASTICSEARCH_IP>:9200/_snapshot/apinizer-repository-<INDEX_KEY>/apinizer-snapshot-<INDEX_KEY>-2023.03.13-m33h8zcpq_if4swyzn0wrq/_status?pretty"
BASH
Deleting All Settings Related to Snapshots
curl -XDELETE 'http://<ELASTICSEARCH_IP>:9200/_snapshot/apinizer-repository-<INDEX_KEY>?pretty'
BASH