Exploring data in Elasticsearch

edit

Templates describing how the APM Server stores data in Elasticsearch have changed in v6.5. Read the upgrading to 6.5 guide for more information.

By default, Elastic APM data is stored in separated indices in the following formats:

apm-%{[version]}-sourcemap
apm-%{[version]}-error-%{+yyyy.MM.dd}
apm-%{[version]}-transaction-%{+yyyy.MM.dd}
apm-%{[version]}-span-%{+yyyy.MM.dd}
apm-%{[version]}-metric-%{+yyyy.MM.dd}

If you’re unfamiliar with the data types shown above, they are described in the APM data model.

If your APM data is being stored in a different format, you may be using an outdated apm-server.yml file. You must update your apm-server.yml file in order to take advantage of the new format of indices.

To get an overview of existing indices you can run:

GET _cat/indices/apm*

Default APM template and indices:

To query all documents collected with a specific APM Server version:

GET apm-6.5.4-*/_search

To query a specific type, for example transactions:

GET apm-*transactions-*/_search

If you are interested in the settings and mappings of the Elastic APM indices, first, run a query to find template names:

GET _cat/templates/apm*

Then you can retrieve the specific template you are interested in:

GET  /_template/your-template-name

Read more about Index Templates and how they are used.

Alternatively, use the Kibana Index Management UI. When clicking on a specific index you can view the settings and mapping for it.