I am trying to just simply get the most recent event to happen with curl, and I am always getting the same thing. Here is the curl that I'm using:
curl localhost:9200/packetbeat-2017.01.26/_search?pretty=true -d '
{
"query": {
"match_all": {}
},
"size": 1,
"sort": [{
"_timestamp": {
"order": "desc"
}
}]
}
I tried in ascending and descending order, and it ALWAYS returns the same event. By this I mean that the info that I am getting is always the same, even the ID(which should be different even if all the other info is the same).
Filebeat adds the @timestamp field to the events it sends. So try using:
curl -XGET "http://localhost:9200/filebeat-*/_search?pretty" -d'
{
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}'