I have a search on our ES cluster, which has 4 TB, 43 billion docs.
{
"query": {
"bool": {
"filter": [
{
"term": {
"CustomerID": {
"value": "s1501"
}
}
},
{
"range": {
"Timestamp": {
"from": 1533225600,
"to": 1535903998
}
}
}
]
}
},
"aggregations": {
"UserName": {
"filter": {
"bool": {
"must_not": [
{
"terms": {
"UserName": [
""
]
}
}
]
}
},
"aggregations": {
"UserName": {
"terms": {
"field": "UserName",
"size": 10,
"shard_size": 200
},
"aggregations": {
"total": {
"sum": {
"field": "InByte"
}
}
}
}
}
}
}
}
The search takes more than 10 seconds, but if I remove SUM and only use terms, it only takes about 1 seconds.
Why the SUM takes so much time? Is there any ways to optimize?
BTW, only about 280,000 docs are matched in the search.