Deleting / editing existing analyzer in elastic index

Leonid_P · December 8, 2022, 10:54pm

Hello!

Is it safe to delete or change an analyzer in an existing index?

Surfing through Stackoverflow and experimenting on my own I've found ways for both operations, i.e.

curl -X PUT "localhost:9200/index_name/_settings?pretty" -H 'Content-Type: application/json' -d'{
"analysis": {
"analyzer": {
"analyzer_name": {"filter":null,"tokenizer":null,"type":null}
}
}
}'

for deletion and just adding analyzer with the same name and different properties, say

curl -X PUT "localhost:9200/index_name/_settings?pretty" -H 'Content-Type: application/json' -d'{
"analysis": {
"analyzer": {
"analyzer_name": {"type":"custom","tokenizer":"whitespace"}
}
}
}'

for editing.

In both cases the index should be closed first, both commands respond with "acknowledged" : true. Command
curl -X GET "localhost:9200/index_name/_settings?pretty"
responds with what it is expected to respond (i.e. the analyzer has disappeared after the deletion command or the properties of the analyzer have changed after the editing command), and the index works OK after opening, at least it seems so after brief testing.

These feautures are very importaint and convinient, but are they actually safe, or they may corrupt documents or other parts of the index?

For compatibility reasons I'm using Elasticsearch 7.13.4 version.

Big thanks in advance!

RabBit_BR · December 9, 2022, 2:48am

Hi @Leonid_P

I usually create a new index when an analyzer is created and then use the Reindex API.
This ensures that the new analyzer is applied to all documents.
This is also good because you guarantee a backup index in case something goes wrong with the new index.

Doing it your way I think it's a very high risk if any failure occurs that's how you can lose your index.

Leonid_P · December 9, 2022, 6:20am

Thank you for reply!

The index I'm going to deal with is really HUGE. Reindexing it with following testing would take about a week. And on the other hand it is treated within the set of similar indexes which I wouldn't like to affect, that's why I don't want just to add a new analyzer with a new name either (all indexes in the set should have same names for analyzers).

The analyzer to be edited (or deleted and then added again with a new set of filters) is to be just a search analyzer, it will not be used in indexing documents, so this operation won't make different documents to be indexed in different ways.

So the question is, whether editing / deleting an existing analyzer is itself somehow more dangerous for internal index data than just adding a new analyzer as it is described at the end of Update index settings API | Elasticsearch Guide [8.5] | Elastic page?

Probably if it is unsafe, acknowledging these editing / deletion analyzer commands should be treated as a bug?

RabBit_BR · December 9, 2022, 8:17am

What I exposed was my vision of treating the problem. Documentation can be followed for your purpose.
I just work in a way to get more security.
If you tested it and it worked in your test environment, the same should happen in production.

system · January 6, 2023, 8:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.