Introduction
Each chapter is dedicated to a separate topic and was put together such that it can be read on its own. At the same time, the chapters often reference one another, esp. in contexts where backlinks are educative.
Each subchapter starts with a brief summary of what falls into the given category, followed by a description of the challenges that people usually face. Next, the I present one or two real-world use cases and an approach I'd take to solve them. Tips 💡, key pieces of information 🔑, and caveats ⚠️ are scattered throughout the text.
Since Elasticsearch is essentially a JSON-in/JSON-out server, all communication with it is performed through HTTP(S) — a cURL request at the very least. Using cURL is perfectly fine for those of us who live in the terminal but the rest of us either use Postman/Insomnia or Kibana.
Most code snippets in this handbook are ready to copy-paste into the Kibana Dev Tools Console :
After pasting, run queries with cmd/ctrl + enter and prettify/compact with cmd/ctrl + i.
The 🔧 icon can:
- take you to the official documentation based on the currently entered endpoint
- but also convert the Kibana DSL (domain-specific language) statements into a raw cURL request.
Working with Kibana and Chrome Dev Tools is a great time-saver .
In this book and elsewhere you'll encounter triple quotes inside JSON queries, esp. in multi-line scripts such as:
GET index_name/_search
{
"query": {
"script": {
"source": """
// some
// multiline
// code
"""
}
}
} The above is invalid JSON so you cannot use it as the actual request body. But triple quotes are a convention that helps increase code readability and supports multi-line strings, esp. when devising/testing out scripts . They work in Kibana because they get escaped right before the corresponding REST call is performed — you can verify that by inspecting the body of the XHR calls made to the /api/console/proxy endpoint in the network tab of your browser's dev tools.
So you've got two options if we want to use the multi-line JSON in any environment outside of Kibana (be it in Postman, cURL, etc.):
- either rewrite the contents of these multi-line strings manually
- or simply press
cmd/ctrl + i. The resulting compact query would then look like:
{
"query": {
"script": { "source": "// some\n // multiline\n // code\n return true" }
}
}which is indeed valid JSON.
| Term | Interpretation |
|---|---|
| ES | Elasticsearch |
| doc | document ≈ row in SQL |
| docs | the (official) documentation for something |
| field | a doc's attribute ≈ a column in SQL |
| index | a collection of docs ≈ a table in SQL |
| to index | to add a document to an ES index; to sync |
| aggs | aggregations |
| API | any of the ES REST APIs |
| endpoint | an ES API endpoint, typically starting with _ (e.g., _search) |
| mapping | instructions on how fields are stored and indexed ≈ schema in SQL |
| dev tools | the Kibana Dev Tools console ( localhost ) |
| DSL | domain-specific language; ES DSL = the JSON queries Elasticsearch accepts |
| SO | StackOverflow.com |
- 💡 an idea / a tip / a good-to-know
- ⚠️ a caveat / warning
- ⚙️ deeper knowledge of ES required
- 🔑 a key piece of knowledge
- *️⃣ a footnote
- ▶️ an expandable toggle list