Dev Tools Configuration – Index Management

Configuration and Management Tasks Using Dev Tools #

Creating Indices: #

• You can create new indices directly from Dev Tools. For example, to create a new index for storing security alerts, you might run:

PUT /argus-alerts-000001

{

  “settings”: {

    “number_of_shards”: 1,

    “number_of_replicas”: 1

  },

  “mappings”: {

    “properties”: {

      “host”: { “type”: “keyword” },

      “event”: { “type”: “text” },

      “timestamp”: { “type”: “date” }

    }

  }

}

Managing Index Templates: #

• You can define and manage index templates, which specify settings and mappings for new indices. For example:

PUT _template/my_index_template

{

  “index_patterns”: [“argus-alerts-*”],

  “mappings”: {

    “properties”: {

      “host”: { “type”: “keyword” },

      “event”: { “type”: “text” }

    }

  }

}

Index Management: #

• You can check the status and settings of existing indices using:

GET /_cat/indices?v

Deleting Indices: #

• If you need to remove an index, you can do so directly with a command like:

DELETE /argus-alerts-000001

Updating Index Settings: #

• To change the settings of an existing index, you can run:

PUT /argus-alerts-000001/_settings

{

  “index”: {

    “number_of_replicas”: 2

  }

}

Viewing and Modifying Mappings: #

• You can check the current mappings of an index with:

GET /argus-alerts-000001/_mapping

• If necessary, you can update the mappings as well.

Querying Data: #

• You can run queries to retrieve and analyze data stored in your indices. For example:

GET /argus-alerts-000001/_search

{

  “query”: {

    “match_all”: {}

  }

}

Index Lifecycle Management (ILM): #

• You can manage ILM policies for indices using Dev Tools. For example, to create a new ILM policy:

PUT _ilm/policy/my_policy

{

  “policy”: {

    “phases”: {

      “hot”: {

        “actions”: {

          “rollover”: {

            “max_age”: “30d”

          }

        }

      }

    }

  }

}

Example Usage in Dev Tools #

Create an Index: #

PUT /my-security-alerts-000001

{

  “settings”: {

    “number_of_shards”: 1,

    “number_of_replicas”: 1

  },

  “mappings”: {

    “properties”: {

      “alert”: { “type”: “text” },

      “severity”: { “type”: “keyword” },

      “timestamp”: { “type”: “date” }

    }

  }

}

Create an Index Template: #

PUT _template/my_alert_template

{

  “index_patterns”: [“my-security-alerts-*”],

  “mappings”: {

    “properties”: {

      “alert”: { “type”: “text” },

      “severity”: { “type”: “keyword” }

    }

  }

}

Query Data: #

GET /my-security-alerts-000001/_search

{

  “query”: {

    “match”: {

      “severity”: “high”

    }

  }

}