Explore data in Elasticsearchedit

This documentation refers to the standalone (legacy) method of running APM Server. This method of running APM Server will be deprecated and removed in a future release. Please consider upgrading to the Elastic APM integration. If you’ve already upgraded, see Data streams.

Elastic APM stores data for each event type in separate indices. By default, Index Lifecycle Management (ILM) is enabled and event data is stored using the following index naming patterns:

apm-%{[version]}-transaction-000001
apm-%{[version]}-span-000001
apm-%{[version]}-error-000001
apm-%{[version]}-metric-000001
apm-%{[version]}-sourcemap

If you’ve disabled ILM and are instead using daily indices, the default index naming pattern is:

apm-%{[version]}-transaction-%{+yyyy.MM.dd}
apm-%{[version]}-span-%{+yyyy.MM.dd}
apm-%{[version]}-error-%{+yyyy.MM.dd}
apm-%{[version]}-metric-%{+yyyy.MM.dd}
apm-%{[version]}-sourcemap

If your APM data is being stored in a different format, you may be using an outdated apm-server.yml file. You must update your apm-server.yml file in order to take advantage of the new format of indices.

Sample APM documentsedit

Sample documents for each of the APM event types are available on these pages:

Elasticsearch query examplesedit

The following examples enable you to interact with Elasticsearch’s REST API. One possible way to do this is using Kibana’s Dev Tools console.

Indices, templates, and index-level operations can also be manged via Kibana’s Index management panel.

To see an overview of existing indices, run:

GET _cat/indices/apm*

To query all documents collected with a specific APM Server version:

GET apm-8.3.3-*/_search

To query a specific event type, for example, transactions:

GET apm-*transactions-*/_search

If you are interested in the settings and mappings of the Elastic APM indices, first, run a query to find template names:

GET _cat/templates/apm*

Then, retrieve the specific template you are interested in:

GET  /_template/your-template-name