An identifier is an ID to name your database objects, such as index names, field names, aliases, and so on. Elasticsearch supports two types of identifiers: regular identifiers and delimited identifiers.
A regular identifier is a string of characters that starts with an ASCII letter (lower or upper case). The next character can either be a letter, digit, or underscore (_). It can’t be a reserved keyword. Whitespace and other special characters are also not allowed.
Elasticsearch supports the following regular identifiers:
- Identifiers prefixed by a dot
.sign. Use to hide an index. For example
- Identifiers prefixed by an
@sign. Use for meta fields generated by Logstash ingestion.
- Identifiers with hyphen
-in the middle. Use for index names with date information.
- Identifiers with star
*present. Use for wildcard match of index patterns.
For regular identifiers, you can use the name without any back tick or escape characters. In this example,
lastname are all identifiers. Out of these, the
source field is a reserved identifier.
source=accounts | fields account_number, firstname, lastname;
A delimited identifier can contain special characters not allowed by a regular identifier. You must enclose delimited identifiers with back ticks (``). Back ticks differentiate the identifier from special characters.
If the index name includes a dot (
.), for example,
log-2021.01.11, use delimited identifiers with back ticks to escape it `
Typical examples of using delimited identifiers:
- Identifiers with reserved keywords.
- Identifiers with a
-to include date information.
- Identifiers with other special characters. For example, Unicode characters.
To quote an index name with back ticks:
source=`accounts` | fields `account_number`;
Identifiers are case sensitive. They must be exactly the same as what’s stored in Elasticsearch.
For example, if you run
source=Accounts, you’ll get an index not found exception because the actual index name is in lower case.