GET request to get the most recent event always returning the same thing in Elasticsearch

Question

I am trying to just simply get the most recent event to happen with curl, and I am always getting the same thing. Here is the curl that I'm using:

curl localhost:9200/packetbeat-2017.01.26/_search?pretty=true -d '
{
"query": {
    "match_all": {}
},
"size": 1,
"sort": [{
    "_timestamp": {
        "order": "desc"
    }
}]
}

I tried in ascending and descending order, and it ALWAYS returns the same event. By this I mean that the info that I am getting is always the same, even the ID(which should be different even if all the other info is the same).

score 1 · Accepted Answer · answered Jan 27 '17 at 21:11

1

Filebeat adds the @timestamp field to the events it sends. So try using:

curl -XGET "http://localhost:9200/filebeat-*/_search?pretty" -d'
{
  "size": 1,
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ]
}'

answered Jan 27 '17 at 21:11

A J

2,508
21
26

GET request to get the most recent event always returning the same thing in Elasticsearch

1 Answers1