Elasticsearch Cheat Sheet
Complete reference guide for Elasticsearch with interactive examples and live playground links
Basic Operations
Cluster Health & Info
Monitor cluster status and health
Elasticsearch
# Check cluster health
GET _cluster/health
# Get cluster details
GET _cluster/stats
# Get node info
GET _nodes
# Get detailed node stats
GET _nodes/stats
# Get index stats
GET _stats
# View thread pool stats
GET _nodes/thread_poolIndex Management
Creating and managing indices
Elasticsearch
# Create index
PUT /products
{
"settings": {
"number_of_shards": 3,
"number_of_replicas": 1
}
}
# Create index with mappings
PUT /users
{
"settings": {
"number_of_shards": 2
},
"mappings": {
"properties": {
"name": { "type": "text" },
"email": { "type": "keyword" },
"age": { "type": "integer" },
"joined_date": { "type": "date" }
}
}
}
# Get index settings and mappings
GET /users
# Delete an index
DELETE /users
# Close an index (to make it read-only)
POST /users/_close
# Open a closed index
POST /users/_open
# List all indices with stats
GET /_cat/indices?v
# Clone an index
POST /source_index/_clone/target_indexDocument Operations
Working with documents
Elasticsearch
# Add document with automatic ID
POST /users/_doc
{
"name": "John Smith",
"email": "john@example.com",
"age": 32
}
# Add document with specific ID
PUT /users/_doc/1
{
"name": "Jane Doe",
"email": "jane@example.com",
"age": 28
}
# Update document
POST /users/_update/1
{
"doc": {
"age": 29
}
}
# Update with script
POST /users/_update/1
{
"script": {
"source": "ctx._source.age += params.increment",
"lang": "painless",
"params": {
"increment": 1
}
}
}
# Get document
GET /users/_doc/1
# Delete document
DELETE /users/_doc/1
# Bulk operations
POST _bulk
{ "index": { "_index": "users", "_id": "2" } }
{ "name": "Alice Smith", "email": "alice@example.com" }
{ "update": { "_index": "users", "_id": "1" } }
{ "doc": { "city": "New York" } }
{ "delete": { "_index": "users", "_id": "3" } }Search & Query DSL
Basic Search
Basic search operations
Elasticsearch
# Simple match all
GET /users/_search
{
"query": {
"match_all": {}
}
}
# Search with pagination
GET /users/_search
{
"from": 10,
"size": 20,
"query": {
"match_all": {}
}
}
# Field selection
GET /users/_search
{
"_source": ["name", "email"],
"query": {
"match_all": {}
}
}
# Simple text search
GET /users/_search
{
"query": {
"match": {
"name": "john"
}
}
}
# Phrase search
GET /users/_search
{
"query": {
"match_phrase": {
"bio": "software engineer"
}
}
}
# Term search (exact match)
GET /products/_search
{
"query": {
"term": {
"status": "active"
}
}
}Advanced Queries
Complex search queries
Elasticsearch
# Boolean query (combining multiple conditions)
GET /users/_search
{
"query": {
"bool": {
"must": [
{ "match": { "name": "john" } }
],
"filter": [
{ "range": { "age": { "gte": 25, "lte": 45 } } }
],
"must_not": [
{ "term": { "status": "inactive" } }
],
"should": [
{ "term": { "city": "new york" } }
]
}
}
}
# Range query
GET /products/_search
{
"query": {
"range": {
"price": {
"gte": 100,
"lte": 200
}
}
}
}
# Wildcard query
GET /users/_search
{
"query": {
"wildcard": {
"email": "*@gmail.com"
}
}
}
# Regex query
GET /users/_search
{
"query": {
"regexp": {
"email": ".*@example\.(com|org)"
}
}
}
# Fuzzy query (similar terms with typo tolerance)
GET /products/_search
{
"query": {
"fuzzy": {
"name": {
"value": "lapton",
"fuzziness": "AUTO"
}
}
}
}
# Nested query
GET /orders/_search
{
"query": {
"nested": {
"path": "items",
"query": {
"bool": {
"must": [
{ "match": { "items.name": "iphone" } },
{ "range": { "items.price": { "gt": 500 } } }
]
}
}
}
}
}Full-text Search
Text search capabilities
Elasticsearch
# Multi-match (search multiple fields)
GET /products/_search
{
"query": {
"multi_match": {
"query": "lightweight laptop",
"fields": ["name", "description", "tags"]
}
}
}
# Multi-match with field boosting
GET /products/_search
{
"query": {
"multi_match": {
"query": "apple macbook",
"fields": ["name^3", "description", "brand^2"]
}
}
}
# Query string (query parser)
GET /_search
{
"query": {
"query_string": {
"query": "(apple OR microsoft) AND (laptop OR desktop) -tablet",
"default_field": "description"
}
}
}
# Simple query string (safer, more forgiving syntax)
GET /_search
{
"query": {
"simple_query_string": {
"query": "apple | microsoft + laptop -tablet",
"fields": ["name", "description"],
"default_operator": "and"
}
}
}Aggregations
Aggregate and analyze data
Elasticsearch
# Metric aggregation (statistics)
GET /orders/_search
{
"size": 0,
"aggs": {
"avg_price": { "avg": { "field": "price" } },
"sum_price": { "sum": { "field": "price" } },
"min_price": { "min": { "field": "price" } },
"max_price": { "max": { "field": "price" } },
"price_stats": { "stats": { "field": "price" } }
}
}
# Bucket aggregation (grouping)
GET /orders/_search
{
"size": 0,
"aggs": {
"status_count": {
"terms": {
"field": "status",
"size": 10
}
}
}
}
# Date histogram
GET /logs/_search
{
"size": 0,
"aggs": {
"logs_over_time": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "day"
}
}
}
}
# Nested aggregations
GET /products/_search
{
"size": 0,
"aggs": {
"by_category": {
"terms": {
"field": "category",
"size": 10
},
"aggs": {
"avg_price": {
"avg": { "field": "price" }
}
}
}
}
}
# Filtering aggregations
GET /products/_search
{
"size": 0,
"aggs": {
"high_value_products": {
"filter": { "range": { "price": { "gte": 1000 } } },
"aggs": {
"by_category": {
"terms": { "field": "category" }
}
}
}
}
}Administration & Analysis
Index Templates
Creating index templates
Elasticsearch
# Create index template
PUT _template/logs_template
{
"index_patterns": ["logs-*"],
"settings": {
"number_of_shards": 1,
"number_of_replicas": 1
},
"mappings": {
"properties": {
"timestamp": { "type": "date" },
"message": { "type": "text" },
"level": { "type": "keyword" }
}
}
}
# Get template
GET _template/logs_template
# Delete template
DELETE _template/logs_template
# Create component template (Elasticsearch 7.8+)
PUT _component_template/logs_settings
{
"template": {
"settings": {
"number_of_shards": 1,
"number_of_replicas": 1
}
}
}
# Create index template using component templates
PUT _index_template/logs_template
{
"index_patterns": ["logs-*"],
"composed_of": ["logs_settings"],
"priority": 100,
"template": {
"mappings": {
"properties": {
"message": { "type": "text" }
}
}
}
}Mapping Management
Managing field mappings
Elasticsearch
# Update mappings (add new fields)
PUT /users/_mapping
{
"properties": {
"address": {
"type": "object",
"properties": {
"city": { "type": "keyword" },
"zip": { "type": "keyword" },
"location": { "type": "geo_point" }
}
}
}
}
# Get mapping
GET /users/_mapping
# Common field data types
PUT /example/_mapping
{
"properties": {
"text_field": { "type": "text" },
"keyword_field": { "type": "keyword" },
"integer_field": { "type": "integer" },
"long_field": { "type": "long" },
"float_field": { "type": "float" },
"double_field": { "type": "double" },
"boolean_field": { "type": "boolean" },
"date_field": { "type": "date" },
"binary_field": { "type": "binary" },
"range_field": { "type": "integer_range" },
"object_field": { "type": "object" },
"nested_field": { "type": "nested" },
"geo_point": { "type": "geo_point" },
"geo_shape": { "type": "geo_shape" },
"ip_field": { "type": "ip" }
}
}Aliases
Working with index aliases
Elasticsearch
# Create alias
POST /_aliases
{
"actions": [
{ "add": { "index": "logs-2023", "alias": "current-logs" } }
]
}
# Add multiple indices to an alias
POST /_aliases
{
"actions": [
{ "add": { "index": "logs-2022", "alias": "all-logs" } },
{ "add": { "index": "logs-2023", "alias": "all-logs" } }
]
}
# Remove index from alias
POST /_aliases
{
"actions": [
{ "remove": { "index": "logs-2022", "alias": "current-logs" } }
]
}
# Move alias (atomic operation)
POST /_aliases
{
"actions": [
{ "remove": { "index": "logs-2022", "alias": "current-logs" } },
{ "add": { "index": "logs-2023", "alias": "current-logs" } }
]
}
# Create filtered alias
POST /_aliases
{
"actions": [
{
"add": {
"index": "logs-*",
"alias": "error-logs",
"filter": {
"term": { "level": "ERROR" }
}
}
}
]
}Analysis & Analyzers
Customizing text analysis
Elasticsearch
# Test analyzer
GET _analyze
{
"analyzer": "standard",
"text": "This is an example text for analysis."
}
# Test custom analyzer
GET _analyze
{
"tokenizer": "standard",
"filter": ["lowercase", "asciifolding"],
"text": "Café Spécial"
}
# Create custom analyzer
PUT /my_index
{
"settings": {
"analysis": {
"analyzer": {
"my_custom_analyzer": {
"type": "custom",
"tokenizer": "standard",
"char_filter": ["html_strip"],
"filter": ["lowercase", "stop", "snowball"]
}
}
}
}
}
# Test custom analyzer in index
GET /my_index/_analyze
{
"analyzer": "my_custom_analyzer",
"text": "Running and jumping <b>quickly</b>"
}Data Management
Managing index data
Elasticsearch
# Refresh index
POST /users/_refresh
# Force merge (optimize)
POST /logs-2022/_forcemerge
{
"max_num_segments": 1
}
# Clear cache
POST /users/_cache/clear
# Explain query scoring
GET /products/_explain/1
{
"query": {
"match": { "name": "laptop" }
}
}
# Reindex data
POST _reindex
{
"source": {
"index": "old_index"
},
"dest": {
"index": "new_index"
}
}
# Reindex with query
POST _reindex
{
"source": {
"index": "logs",
"query": {
"range": {
"timestamp": {
"gte": "2023-01-01"
}
}
}
},
"dest": {
"index": "logs-2023"
}
}
# Update by query
POST /users/_update_by_query
{
"query": {
"term": { "status": "active" }
},
"script": {
"source": "ctx._source.visits += params.increment",
"params": {
"increment": 1
}
}
}
# Delete by query
POST /logs/_delete_by_query
{
"query": {
"range": {
"timestamp": {
"lt": "2022-01-01"
}
}
}
}Elasticsearch - Interactive Developer Reference
Hover over code blocks to copy or run in live playground