This is the first article in our "Helpful Hints" series where we will describe how to implement real-world use cases step-by-step. Helpful Hints will be published bi-weekly and are quick 2-3 minute reads.
Elasticsearch date math expressions
Elasticsearch supports date math expressions in index names. You can use these expressions when creating an index and when querying indices.
A date math index name has the following format:
As an example, if today is the 21st of October 2020, the following index name:
Would expand to:
See the official Elasticsearch docs
for more examples on Date/Math expressions.
Date math expressions are great for querying indices that contain a date in the index name, as most logfile based indices do. Especially if you set up a daily, weekly, or monthly rolling index policy.
Using date math expressions for access control
Search Guard fully supports Elasticsearch date math index names for controlling access to data. Let's assume you have set up a logstash index pattern that contains the date and month, like:
You want to set up a role with READ access to the logstash indices, but only allow access to logs for the current month. You can use any valid date math expression in the index_patterns section of the role definition, like:
The date math expression will be evaluates at runtime and, if today is 21st of October 2020, expand to logstash-2020.10.
Since we can define multiple index patterns per role, we can simply expand the index access to the last three months by defining the role like:
Where to go next
Image: Shutterstock / Irina Strelnikova