Elasticsearch Cheat Sheet

Source: JoliCode

• Queries
• Control total hit count
• QueryString syntax
• Search After - Pagination cursor
• Indexes and mapping
• Get the mapping and the settings
• Create a document (auto-generated ID)
• Create or update a document
• Delete a document
• Open and close indexes to save memory and CPU
• Remove and create aliases
• List aliases
• Full custom analyzer declaration
• Indices monitoring and information
• Indices status and management
• Reindex API
  • Simple Reindex Operation
  • Selective Reindex Operation
• Debug and development
  • Queries
  • Analysis
• Slowlog
• Cluster and node information
• Updating settings
• Snapshots and Restore

Queries

There are two syntaxes for the basic queries: a simple one on the left, where you can't use any option, and an extended one on the right. Most of the beginner headache with the DSL come from this:

GET _search
{
  "query": {
    "match": {
      "FIELD": "TEXT"
    }
  }
}

GET _search
{
  "query": {
    "match": {
      "FIELD": {
        "query": "TEXT",
        "OPTION": "VALUE"
      }
    }
  }
}

Full search example with aggregation, highlight, filter...

GET /_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "title": "smith"
          }
        }
      ],
      "must_not": [
        {
          "match_phrase": {
            "title": "granny smith"
          }
        }
      ],
      "filter": [
        {
          "exists": {
            "field": "title"
          }
        }
      ]
    }
  },
  "aggs": {
    "my_agg": {
      "terms": {
        "field": "user",
        "size": 10
      }
    }
  },
  "highlight": {
    "pre_tags": [
      "<em>"
    ],
    "post_tags": [
      "</em>"
    ],
    "fields": {
      "body": {
        "number_of_fragments": 1,
        "fragment_size": 20
      },
      "title": {}
    }
  },
  "size": 20,
  "from": 100,
  "_source": [
    "title",
    "id"
  ],
  "sort": [
    {
      "_id": {
        "order": "desc"
      }
    }
  ]
}

Control total hit count

Accept true, false or a fixed number, default to 10000.

GET /_search
{
  "track_total_hits": true,
  "query": {}
}
Common queries
"multi_match": {
  "query": "Elastic",
  "fields": ["user.*", "title^3"],
  "type": "best_fields"
}
"bool": {
  "must": [],
  "must_not": [],
  "filter": [],
  "should": [],
  "minimum_should_match" : 1
}
"range": {
  "age": {
    "gte": 10,
    "lte": 20,
    "boost": 2
  }
}

QueryString syntax

Search in the default _all field:

GET /_search?q=pony

Complex search with operator and exact phrase search with boost:

GET /_search?q=title:(joli OR code) AND author:"Damien Alexandre"^2

Search with wildcard and special queries:

GET /_search?q=_exists_:title OR title:singl? noneOrAnyChar*cter

Search with fuzzyness and range:

GET /_search?q=title:elastichurch~3 AND date:[2016-01-01 TO 2018-12-31]

Use in Query DSL (not recommended for user search):

GET /_search
{
  "query": {
    "query_string": {
      "default_field": "content",
      "query": "elastic AND (title:lucene OR title:solr)"
    }
  }
}

Search After - Pagination cursor

Search with a custom sort:

GET products/_search
{
    "size": 10,
    "sort": [
        {"date": "asc"},
        {"_id": "desc"}
    ]
}

On the next "page", pass the sort values from the last result:

GET product/_search
{
    "size": 10,
    "search_after": [1463538857, "654323"],
    "sort": [
        {"date": "asc"},
        {"_id": "desc"}
    ]
}

Indexes and mapping

Create an index with settings and mapping

PUT /my_index_name
{
  "settings": {
    "number_of_replicas": 1,
    "number_of_shards": 3,
    "analysis": {},
    "refresh_interval": "1s"
  },
  "mappings": {
    "dynamic": false,
    "properties": {
      "title": {
        "type": "text",
        "analyzer": "english"
      }
    }
  }
}

Get the mapping and the settings

GET /my_index_name
GET /my_index_name/_mapping
GET /my_index_name/_settings

Create a document (auto-generated ID)

POST /my_index_name/_doc
{
  "title": "Elastic is funny",
  "tag": [
    "lucene"
  ]
}

Create or update a document

PUT /my_index_name/_doc/12abc
{
  "title": "Elastic is funny",
  "tag": [
    "lucene"
  ]
}

Delete a document

DELETE /my_index_name/_doc/12abc

Open and close indexes to save memory and CPU

POST /my_index_name/_close
POST /my_index_name/_open

Remove and create aliases

POST /_aliases
{
  "actions": [
    {
      "remove": {
        "index": "my_index_name",
        "alias": "foo"
      }
    },
    {
      "add": {
        "index": "my_index_name",
        "alias": "bar",
        "filter" : { "term" : { "user" : "damien" } }
      }
    }
  ]
}

List aliases

GET /_aliases
GET /my_index_name/_alias/*
GET /*/_alias/*
GET /*/_alias/foo

Full custom analyzer declaration

PUT /english_example
{
  "settings": {
    "analysis": {
      "filter": {
        "english_stop": {
          "type":       "stop",
          "stopwords":  "_english_"
        },
        "english_stemmer": {
          "type":       "stemmer",
          "language":   "english"
        }
      },
      "analyzer": {
        "my_english": {
          "char_filter":  ["html_strip"],
          "tokenizer":  "standard",
          "filter": [
            "lowercase",
            "english_stop",
            "english_stemmer"
          ]
        }
      }
    }
  }
}

Indices monitoring and information

GET /my_index_name/_stats
GET /my_index_name/_segments
GET /my_index_name/_recovery?pretty&human

Indices status and management

POST /my_index_name/_cache/clear
POST /my_index_name/_refresh
POST /my_index_name/_flush
POST /my_index_name/_forcemerge

Reindex API

Simple Reindex Operation

POST /_reindex
{
  "source": {
    "index": "test-index"
  },
  "dest": {
    "index": "test-index-new"
  }
}

Selective Reindex Operation

POST /_reindex
{
  "source": {
    "index": "test-index",
    "query": {
      "match": {
        "gender": "female"
      }
    }
  },
  "dest": {
    "index": "test-index-new",
    "type": "female"
  }
}

Debug and development

Queries

Get a detailed view of what a query do:

GET /blog/_validate/query?explain=true
{
  "query": {
    "match": {
      "title": "Smith"
    }
  }
}

Get an explanation about a document matching or not:

GET /blog/_doc/1/_explain
{
  "query": {
    "match": {
      "title": "Smith"
    }
  }
}

Analysis

Test how a content is tokenized in a field:

GET /blog/_analyze
{
  "field": "title",
  "text": "powerful"
}

Test analyzer token output by analyzer:

GET /blog/_analyze
{
  "analyzer": "english",
  "text": "powerful"
}

Slowlog

Lower the slowlog threshold to see all the search queries in the logs:

PUT /blog/_settings
{
  "index.search.slowlog.threshold.query.trace": "0s",
  "index.search.slowlog.level": "trace"
}

Go back to the default configuration:

PUT /blog/_settings
{
  "index.search.slowlog.threshold.query.trace": "500ms",
  "index.search.slowlog.level": "info"
}

Cluster and node information

GET /_cluster/health?pretty
GET /_cluster/health?wait_for_status=yellow&timeout=50s
GET /_cluster/state
GET /_cluster/stats?human&pretty
GET /_cluster/pending_tasks
GET /_nodes
GET /_nodes/stats
GET /_nodes/nodeId1,nodeId2/stats

Get the full reference of all the settings:

GET /_cluster/settings?include_defaults=true&flat_settings=true

Updating settings

Disable shard allocation, useful before a rolling restart:

PUT /_cluster/settings
{
    "transient" : {
        "cluster.routing.allocation.enable" : "none"
    }
}

PUT /_cluster/settings
{
    "transient" : {
        "cluster.routing.allocation.enable" : "all"
    }
}

Snapshots and Restore

PUT /_snapshot/my_backup
{
  "type": "fs",
  "settings": {
    "location": "my_backup_location"
  }
}

PUT /_snapshot/my_backup/snapshot_a
{
  "indices": "index_1,index_2",
  "ignore_unavailable": "true",
  "include_global_state": false
}

POST /_snapshot/my_backup/snapshot_a/_restore
{
  "indices": "index_1,index_2",
  "ignore_unavailable": "true",
  "include_global_state": false,
  "rename_pattern": "index_(.+)",
  "rename_replacement": "restored_index_$1"
}