Explore data in Elasticsearch

edit

Elastic APM stores data for each event type in separate indices. By default, Index Lifecylce Management (ILM) is enabled and event data is stored using the following index naming patterns:

apm-%{[version]}-transaction-000001
apm-%{[version]}-span-000001
apm-%{[version]}-error-000001
apm-%{[version]}-metric-000001
apm-%{[version]}-sourcemap

If you’ve disabled ILM and are instead using daily indices, the default index naming pattern is:

apm-%{[version]}-transaction-%{+yyyy.MM.dd}
apm-%{[version]}-span-%{+yyyy.MM.dd}
apm-%{[version]}-error-%{+yyyy.MM.dd}
apm-%{[version]}-metric-%{+yyyy.MM.dd}
apm-%{[version]}-sourcemap

If your APM data is being stored in a different format, you may be using an outdated apm-server.yml file. You must update your apm-server.yml file in order to take advantage of the new format of indices.

Sample APM documents

edit

Sample documents for each of the APM event types are available on these pages:

Elasticsearch query examples

edit

The following examples enable you to interact with Elasticsearch’s REST API. One possible way to do this is using Kibana’s Dev Tools console.

Indices, templates, and index-level operations can also be manged via Kibana’s Index management panel.

To see an overview of existing indices, run:

GET _cat/indices/apm*

To query all documents collected with a specific APM Server version:

GET apm-7.15.2-*/_search

To query a specific event type, for example, transactions:

GET apm-*transactions-*/_search

If you are interested in the settings and mappings of the Elastic APM indices, first, run a query to find template names:

GET _cat/templates/apm*

Then, retrieve the specific template you are interested in:

GET  /_template/your-template-name