Elasticsearch Frequently Used Commands
uyarı
Direct intervention to data in production environments is never recommended. Before any operation or change to be made in production environments, the relevant steps must be tested in the test environment and a current backup of the system must be taken.
Viewing and Deleting Indices
Viewing Document Count
curl -X GET "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_doc/_count"
Viewing Indices with Where Condition
curl -X GET "<ELASTICSEARCH_IP>:9200/*/_search?pretty=true&q=apn:XYS"
curl -X GET "<ELASTICSEARCH_IP>:9200/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{
"match": {
"apn": "TEST GW"
}
},
{
"range": {
"@timestamp": {
"gte": "now-7d/d",
"lt": "now-5d/d"
}}}]}}}'
curl -X GET "<ELASTICSEARCH_IP>:9200/_search?pretty" -H 'Content-Type: application/json' -d '{
"script_fields": {
"content_type": {
"script": {
"lang": "painless",
"source": "if (params._source == null || params._source.tch == null) return null; for (def h : params._source.tch) { if (h.k == 'Content-Type') return h; } return null;"
}
}
}
}'
Query Finding Records Where CID in Request and CID in Response Are Not the Same Using Script
curl --location --request GET 'http://<ELASTICSEARCH_IP>:9200/_search' --data-raw '{
"query": {
"bool": {
"filter": [
{
"script": {
"script": {
"lang": "painless",
"source": "doc.containsKey('aci.keyword') != doc.containsKey('fbarh[1].keyword')"
}
}
},
{
"range":{
"@timestamp":{
"gte":"2025-11-28T16:30:32.000Z"
}
}
}
]
}
}
}'
List of Requests Coming Per Second in a Specific Time Range
curl --location --request GET '<ELASTICSEARCH_IP>:9200/_search' --data-raw '{
"query":{
"bool":{
"filter":[
{
"match":{
"apn":"Test GW"
}
},
{
"range":{
"@timestamp":{
"gte":"2025-11-04T09:36:00.183Z",
"lte":"2025-11-04T12:36:00.183Z"
}
}
}
]
}
},
"aggs":{
"reqs_over_time":{
"date_histogram":{
"field": "@timestamp",
"fixed_interval": "6s"
}
}
}
}'
Finding Specific Documents by Correlation ID
curl -X GET "<ELASTICSEARCH_IP>:9200/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query": {
"match": {
"aci": "c3d8523e-e3ac-497b-ac7a-76853198c239"
}
}
}'
Deleting by Index Name
curl -X DELETE "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>"
Deleting Indices Containing a Given Word
curl -X DELETE "<ELASTICSEARCH_IP>:9200/*metric*"
Changing Elasticsearch Stack's Read_Only Status
For all indices:
curl -X PUT "<ELASTICSEARCH_IP>:9200/_all/_settings?wait_for_completion=false" -H "Content-Type: application/json" -d'
{
"index.blocks.read_only_allow_delete": null,
"index.blocks.write": null
}'
For a single index only:
curl -X PUT "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_settings?pretty" -H 'Content-Type: application/json' -d'
{
"index.blocks.read_only_allow_delete": null,
"index.blocks.write": null
}'
Moving to New Index with Rollover
curl -X POST "http://<ELASTICSEARCH_IP>:9200/apinizer-log-apiproxy-<INDEX_KEY>/_rollover"
Search
Querying Documents in a Specific Index
curl -X GET "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_search?pretty=true&q=*:*"
Querying Documents in Index by Specific Criteria
curl -X GET "<ELASTICSEARCH_IP>:9200/*/_search?pretty=true&q=apn:Petstore+API"
Querying Documents by Specific Time Range
curl --location --request GET '<ELASTICSEARCH_IP>:9200/_search' --data-raw '{
"query":{
"bool":{
"must":[
{
"match":{
"apn": "Test GW"
}
},
{
"range":{
"@timestamp":{
"gte":"now-5M/M",
"lte":"now/d"
}
}
}
]
}
}
}'
Aggregating Document Results by Specific Criteria
curl --location --request GET 'http://<ELASTICSEARCH_IP>:9200/_search' --data-raw '
{
"query":{
"bool":{
"filter":[
{
"match": {
"apn":"Test GW"
}
},
{
"range":{
"@timestamp":{
"gte":"2025-12-28T15:08:00.000Z",
"lte":"2025-12-30T15:08:00.000Z"
}
}
}
]
}
},
"aggs": {
"reqs_over_time":{
"date_histogram":{
"field":"@timestamp",
"fixed_interval":"10s"
}
}
}
}'
Finding the Number of Requests Each Authorized User Sent to Each API Proxy in the Last 1 Day
curl -X GET "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_search?pretty" -H 'Content-Type: application/json' -d'
{
"size": 0,
"query": {
"range": {
"@timestamp": {
"gte": "now/d",
"lt": "now+1d/d"
}
}
},
"aggs": {
"by_uok": {
"terms": { "field": "uok", "size": 1000 },
"aggs": {
"by_apn": {
"terms": {
"field": "apn",
"size": 1000,
"missing": "ThoseNotGoingToASpecificApiProxy"
}
}
}
}
}
}
'
Update
Updating Document
curl -X PUT "<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/doc/1?pretty" -H 'Content-Type: application/json' -d'
{
"name": "John Doe"
}'
Deleting a Specific Element from Specified Fields
curl -X POST "<ELASTICSEARCH_IP>:9200/_update_by_query?pretty" -H 'Content-Type: application/json' -d'
{
"script": {
"source": "ctx._source.headerRequestFromClient.remove('\''header-name-1'\''); ctx._source.headerRequestToTarget.remove('\''header-name-2'\'');"
},
"query": {
"match_all": {}
}
}'
Deleting Specific Values by Criteria
curl -X POST "<ELASTICSEARCH_IP>:9200/*/_update_by_query?pretty&conflicts=proceed&requests_per_second=200" -H 'Content-Type: application/json' -d'
{
"query": {
"bool" : {
"filter": {
"exists": {
"field": "headerRequestFromClient.user_username"
}
},
"must_not" : {
"term": {
"headerRequestFromClient.user_password": ""
}
}
}
},
"script": "ctx._source.headerRequestFromClient.remove(\"user_password\");"
}
'
bilgi
- Execution Reject error will be prevented by the value of the
requests_per_secondkey. - Bulk Operation Size is 1000 by default. The wait time between two requests is set by giving 5 (=1000/200).
curl -X POST "http://<ELASTICSEARCH_IP>:9200/*/_update_by_query?conflicts=proceed&wait_for_completion=true" -H 'Content-Type: application/json' -d'
{
"script": {
"inline": "ctx._source.remove('\''apmi'\''); ctx._source.remove('\''tba'\''); ctx._source.remove('\''tcb'\''); ctx._source.remove('\''fbarb'\''); ctx._source.remove('\''tbah'\''); ctx._source.remove('\''fbarh'\''); ctx._source.remove('\''tch'\'');",
"lang": "painless"
},
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "2019-02-01T20:03:12.963",
"lte": "2019-04-30T20:03:12.963"
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
}
}'
Deleting Response Body Fields from Logs Belonging to a Specific REST Endpoint
not
This endpoint must be defined within an API proxy of openapi or no-spec type. If the same endpoint exists in multiple services, the API proxy name should also be added to the query.
curl --location --request POST 'http://<ELASTICSEARCH_IP>:9200/<INDEX_KEY>/_update_by_query?pretty' --header 'Content-Type:application/json' --data-raw '{
"script": {
"source": "ctx._source.remove('\''tcb'\'');ctx._source.remove('\''fbarb'\'')",
"lang": "painless"
},
"query": {
"term": {
"apmn": "/anApiProxyEndpoint"
}
}
}'
Deleting Some Body Fields from Logs Up to a Specific Date
curl -X POST "<ELASTICSEARCH_IP>:9200/.ds-apinizer-log-apiproxy-<LOG_KEY>-000*/_update_by_query?pretty" -H 'Content-Type: application/json' -d '
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"lte": "2024-04-20T00:00:00.000Z"
}
}
}
]
}
},
"script": {
"source": "ctx._source.remove(\"tba\"); ctx._source.remove(\"fbarb\"); ctx._source.remove(\"tcb\")"
}
}'
not
If you want to update by API Proxy id value instead of date, you can add the filter "match": { "api": "64ac03067e8f7400cf4adbdd" } instead of the part "range": { "@timestamp": { "lte": "2024-04-20T00:00:00.000Z" } }.
not
To examine the Elasticsearch data structure and determine the fields to be deleted, you can check the API Traffic Log Record Data Structure page.
Setting Replica Count
With template:
curl -X PUT "<ELASTICSEARCH_IP>:9200/_template/template_genel?pretty" -H 'Content-Type: application/json' -d'
{
"index_patterns": ["apinizer-log-*", "apinizer-metric-*", "mongo-db-*"],
"data_stream": { },
"template": {
"settings": {
"index": {
"number_of_shards": 1,
"number_of_replicas": 0
}
}
},
"priority": 501
}'
For all indices:
curl -X PUT "<ELASTICSEARCH_IP>:9200/*/_settings" -H 'Content-Type: application/json' -d'
{
"index": {
"number_of_replicas": 0
}
}'
Shard Allocation
curl -X PUT "<ELASTICSEARCH_IP>:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
"transient": {
"cluster.routing.allocation.enable": "all"
}
}'
Increasing Shard Limit
curl -X PUT "http://<ELASTICSEARCH_IP>:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
"persistent": {
"cluster.routing.allocation.total_shards_per_node": 2000,
"cluster.max_shards_per_node": 2000
}
}'
Changing Log Level
curl -X PUT "<ELASTICSEARCH_IP>:9200/_cluster/settings" -H 'Content-Type: application/json' -d'{"transient":{"logger._root":"DEBUG"}}'
curl -X PUT "<ELASTICSEARCH_IP>:9200/_cluster/settings" -H 'Content-Type: application/json' -d'{"transient":{"logger._root":"INFO"}}'
ShowLog Settings
curl -X PUT "<ELASTICSEARCH_IP>:9200/*log*/_settings?pretty" -H 'Content-Type: application/json' -d'
{
"index.search.slowlog.threshold.fetch.trace": "200ms",
"index.search.slowlog.threshold.query.trace": "200ms"
}'
Elasticsearch Shard and Replication Management
Enabling Shard Allocation
curl -X PUT "<ELASTICSEARCH_IP>:9200/_cluster/settings" -d '{
"transient": {
"cluster.routing.allocation.enable": "all"
}
}' --header 'Content-Type:application/json'
Retrying Failed Shards
curl -X POST "<ELASTICSEARCH_IP>:9200/_cluster/reroute?retry_failed" --header 'Content-Type:application/json'
Querying Cluster Allocation Explanation
curl -X GET "<ELASTICSEARCH_IP>:9200/_cluster/allocation/explain?pretty"
Updating Index Replication Settings
curl -X PUT "<ELASTICSEARCH_IP>:9200/_settings" -d '{
"index": {
"number_of_replicas": 0
}
}' --header 'Content-Type:application/json'
Other
_cat APIs
curl -X GET "<ELASTICSEARCH_IP>:9200/_cat/indices/*?v&s=index&pretty"
curl -X GET "<ELASTICSEARCH_IP>:9200/_cat/thread_pool?v&h=id,node_name,ip,name,core,queue,rejected,completed,max"
_nodes APIs
curl -X GET "<ELASTICSEARCH_IP>:9200/_nodes/os?pretty"
curl -X GET "<ELASTICSEARCH_IP>:9200/_nodes/jvm?pretty"
curl -X GET "<ELASTICSEARCH_IP>:9200/_nodes/thread_pool?pretty"
curl -X GET "<ELASTICSEARCH_IP>:9200/_nodes/stats/process?filter_path=**.max_file_descriptors"
_cluster APIs
curl -X GET "<ELASTICSEARCH_IP>:9200/_cluster/stats?pretty"
curl -X GET "<ELASTICSEARCH_IP>:9200/_cluster/state?pretty=true" > result.json
Flush
curl -X POST "<ELASTICSEARCH_IP>:9200/*log*/_flush/synced?pretty"
Removing Log Write Block
curl -X PUT "http://<ELASTICSEARCH_IP>:9200/*log*/_settings" -H 'Content-Type: application/json' -d'{"index": {"blocks": {"read_only_allow_delete": null}}}'
Snapshot Operations
General Information About Snapshot
curl 'http://<ELASTICSEARCH_IP>:9200/_snapshot?pretty'
Repository and Snapshot Details
curl 'http://<ELASTICSEARCH_IP>:9200/_slm/policy/apinizer-slm-policy-<INDEX_KEY>?pretty'
Detailed Snapshot Review
curl -X GET "http://<ELASTICSEARCH_IP>:9200/_snapshot/apinizer-repository-<INDEX_KEY>/apinizer-snapshot-<INDEX_KEY>-2023.03.13-m33h8zcpq_if4swyzn0wrq?pretty"
curl -X GET "http://<ELASTICSEARCH_IP>:9200/_snapshot/apinizer-repository-<INDEX_KEY>/apinizer-snapshot-<INDEX_KEY>-2023.03.13-m33h8zcpq_if4swyzn0wrq/_status?pretty"
Deleting Snapshot Settings
curl -X DELETE 'http://<ELASTICSEARCH_IP>:9200/_snapshot/apinizer-repository-<INDEX_KEY>?pretty'