Skip to content

Elasticsearch Cheat Sheet

Advanced Elasticsearch cheatsheet built from the provided reference and deep web research. Queries are grouped by real-world operational and search use cases.

Cluster & Node Information

Inspect cluster health, nodes, and metadata.

GET /
GET /_cluster/health
GET /_cluster/state

GET /_cat/nodes?v
GET /_nodes/stats
GET /_nodes

CAT APIs (Quick Inspection)

Human-readable cluster and index inspection APIs.

GET /_cat/indices?v
GET /_cat/indices/my-index-*?v

GET /_cat/aliases?v
GET /_cat/shards?v
GET /_cat/allocation?v

GET /_cat/health?v
GET /_cat/thread_pool?v

Index Management

Create, inspect, and delete indices.

PUT /my-index
DELETE /my-index

GET /my-index
GET /my-index/_settings
GET /my-index/_mapping

Index Settings

Update dynamic index settings.

PUT /my-index/_settings
{
  "index": {
    "number_of_replicas": 0,
    "refresh_interval": "5s"
  }
}

Mappings

Define and inspect field mappings.

PUT /my-index/_mapping
{
  "properties": {
    "created_at": { "type": "date" },
    "status": { "type": "keyword" },
    "message": { "type": "text" }
  }
}

GET /my-index/_mapping

Index Templates

Reusable settings and mappings for index patterns.

PUT /_template/my_template
{
  "index_patterns": ["logs-*"],
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 0
  },
  "mappings": {
    "properties": {
      "@timestamp": { "type": "date" }
    }
  }
}

GET /_template/my_template

Document Indexing

Insert and update documents.

POST /my-index/_doc
{
  "user": "alice",
  "action": "login"
}

PUT /my-index/_doc/1
{
  "user": "bob",
  "action": "logout"
}

Partial Updates

Update fields without reindexing the full document.

POST /my-index/_doc/1/_update
{
  "doc": {
    "action": "password_change"
  }
}

Scripted Update

POST /my-index/_doc/1/_update
{
  "script": {
    "source": "ctx._source.count += params.inc",
    "params": { "inc": 1 }
  }
}

Searching Basics

Basic search queries.

GET /my-index/_search
{
  "query": {
    "match_all": {}
  }
}

GET /my-index/_search
{
  "query": {
    "match": {
      "message": "error"
    }
  }
}

Boolean Queries

Combine multiple conditions.

GET /my-index/_search
{
  "query": {
    "bool": {
      "must": [
        { "match": { "status": "error" } }
      ],
      "filter": [
        { "term": { "env.keyword": "prod" } }
      ]
    }
  }
}

Pagination & Sorting

Control result size and order.

GET /my-index/_search
{
  "from": 0,
  "size": 20,
  "sort": [
    { "@timestamp": "desc" }
  ]
}

Source Filtering

Include or exclude fields in responses.

GET /my-index/_search
{
  "_source": {
    "includes": ["user", "status"],
    "excludes": ["debug"]
  }
}

Text Analysis

Inspect how text is analyzed.

GET /my-index/_analyze
{
  "field": "message",
  "text": "Quick brown fox"
}

GET /_analyze
{
  "analyzer": "standard",
  "text": "Quick brown fox"
}

Aggregations – Metrics

Compute statistics.

GET /my-index/_search
{
  "size": 0,
  "aggs": {
    "avg_duration": {
      "avg": { "field": "duration" }
    }
  }
}

min, max, sum, avg, stats

Aggregations – Buckets

Group documents.

GET /my-index/_search
{
  "size": 0,
  "aggs": {
    "by_status": {
      "terms": { "field": "status.keyword" }
    }
  }
}

date_histogram
range
filters

Significant Terms

Discover unusual terms.

GET /my-index/_search
{
  "size": 0,
  "aggs": {
    "sig_terms": {
      "significant_terms": {
        "field": "message.keyword"
      }
    }
  }
}

Field Collapsing

Group search results.

GET /my-index/_search
{
  "collapse": {
    "field": "user.keyword"
  }
}

Aliases

Switch indices transparently.

POST /_aliases
{
  "actions": [
    { "remove": { "index": "old-index", "alias": "logs" } },
    { "add": { "index": "new-index", "alias": "logs" } }
  ]
}

GET /_cat/aliases?v

Reindex

Copy data between indices.

POST /_reindex
{
  "source": { "index": "old-index" },
  "dest": { "index": "new-index" }
}

Snapshots & Restore

Backup and restore indices.

PUT /_snapshot/my_backup
{
  "type": "fs",
  "settings": {
    "location": "/mnt/es-backups",
    "compress": true
  }
}

PUT /_snapshot/my_backup/snap-1?wait_for_completion=false
{
  "indices": "my-index"
}

POST /_snapshot/my_backup/snap-1/_restore

Performance & Debugging

Analyze performance and slow queries.

EXPLAIN /my-index/_search

PUT /my-index/_settings
{
  "index.search.slowlog.threshold.query.warn": "0s",
  "index.search.slowlog.threshold.fetch.warn": "0s"
}

GET /_cat/thread_pool?v
GET /_cat/tasks?v

Monitoring & Diagnostics

Low-level inspection.

GET /_nodes/hot_threads
GET /_cluster/allocation/explain

Useful Patterns

Common operational queries.

# List largest indices
GET /_cat/indices?v&s=store.size:desc

# Check disk usage
GET /_cat/allocation?v

# Find mapping conflicts
GET /my-index/_field_caps?fields=*