Gyaan

Index Templates & Aliases

intermediate elasticsearch templates aliases operations

These two features look small but they’re how real ES deployments avoid downtime. Templates apply config to indices that don’t exist yet. Aliases let us swap indices behind a stable name.

Index Templates — config that auto-applies

Imagine we ship logs to ES, one index per day: logs-2026-05-26, logs-2026-05-27, etc. We don’t want to manually run PUT /logs-... with all the settings every day. Templates solve this.

A template says: “Any new index matching this pattern should get these settings, mappings, and aliases.”

PUT /_index_template/logs_template
{
  "index_patterns": ["logs-*"],
  "priority": 100,
  "template": {
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas": 1,
      "refresh_interval": "5s"
    },
    "mappings": {
      "properties": {
        "@timestamp": { "type": "date" },
        "level":      { "type": "keyword" },
        "message":    { "type": "text" },
        "service":    { "type": "keyword" },
        "user_id":    { "type": "keyword" }
      }
    },
    "aliases": {
      "logs": {}
    }
  }
}

Now when our app POSTs a doc to logs-2026-05-27 (which doesn’t exist yet), ES:

  1. Sees the index doesn’t exist.
  2. Matches logs-* pattern → applies the template.
  3. Creates the index with those settings + mappings + alias.
  4. Indexes the document.

In simple language: templates are “auto-config” for index creation.

Composable templates

Modern ES uses composable templates — you can split settings, mappings, and aliases into reusable component templates and stitch them together. Useful when many index types share base settings.

PUT /_component_template/base_settings
{ "template": { "settings": { "number_of_replicas": 1 } } }

PUT /_index_template/logs_template
{
  "index_patterns": ["logs-*"],
  "composed_of": ["base_settings"],
  "template": { "mappings": { ... } }
}

Aliases — the redirect layer

An alias is a pointer to one or more indices. Apps query the alias, ES routes to the actual index.

App → alias "products" → real index
App code:
GET /products/_search
alias: products
index: products_v3
Tomorrow we swap the alias to products_v4. App code unchanged.

The blue-green reindex pattern

This is THE killer use case. Say we need to change a field’s type (which isn’t allowed in-place). The dance:

# 1. Create the new index with the new mapping
PUT /products_v2
{ "mappings": { "properties": { "price": { "type": "scaled_float", "scaling_factor": 100 } } } }

# 2. Reindex from old to new
POST /_reindex
{
  "source": { "index": "products_v1" },
  "dest":   { "index": "products_v2" }
}

# 3. Atomically swap the alias
POST /_aliases
{
  "actions": [
    { "remove": { "index": "products_v1", "alias": "products" } },
    { "add":    { "index": "products_v2", "alias": "products" } }
  ]
}

# 4. Drop the old index
DELETE /products_v1

The alias swap is atomic. Apps never see a moment where products doesn’t exist. Zero downtime mapping change.

Aliases for log rotation

Combine aliases with daily indices:

POST /_aliases
{
  "actions": [
    { "add": { "index": "logs-2026-05-26", "alias": "logs", "is_write_index": false } },
    { "add": { "index": "logs-2026-05-27", "alias": "logs", "is_write_index": true } }
  ]
}
  • logs alias points to BOTH indices.
  • Searches across the alias hit both.
  • Writes go only to today’s index (is_write_index: true).

App searches logs, ES handles the routing. Kibana dashboards keep working as new indices come online.

Filtered aliases

We can attach a filter to an alias — useful for multi-tenancy:

POST /_aliases
{
  "actions": [{
    "add": {
      "index": "products",
      "alias": "products_us",
      "filter": { "term": { "country": "us" } }
    }
  }]
}

Now anyone querying products_us only sees US products. No app-side filter needed.

Data streams — the modern way for logs

For pure append-only time-series (logs, metrics), modern ES has data streams. Think of a data stream as a managed alias + auto-rollover + naming convention all rolled into one. They’re paired with ILM (Index Lifecycle Management) to auto-rollover when an index hits a size/age threshold.

For interview purposes: know that templates + aliases are the foundation; data streams are the syntactic sugar on top.

TL;DR

  • Index templates — auto-apply settings/mappings to new indices matching a pattern.
  • Aliases — stable name pointing to one or more real indices.
  • Blue-green reindex — alias swap = zero-downtime mapping change.
  • Log rotation — daily indices behind one alias with is_write_index.

These two patterns together are how you run ES at scale without 3 AM panic.

References