Efficient time-based multi index searches in ES6

BradVido · July 3, 2018, 4:03pm

I recently upgraded from ES 1.7 to 6.3, so have a lot to learn. I thought i head read in some documentation that ES is smart enough to know what indices to query based on timestamp fields.

If i wanted to search 7/1 thru 7/3 is ES 1.7, I would search like this:

logstash-2018-07-01,logstash-2018-07-02,logstash-2018-07-03/_search

Is this still necessary, or can I simply do:
logstash-*/_search
and supply a range filter for the @timesamp field in the query and ES will figure out which indices to search?

BradVido · July 6, 2018, 2:16pm

From my limited testing the queries seem to run just as fast if I specify logstash-* or if i specifiy the exact index names. I just want to confirm this is the case.

BradVido · July 24, 2018, 3:28pm

Any info on this? I can't find any conclusive documentation

ddorian43 · July 25, 2018, 5:26pm

_index filter is faster than range filter on more indexes.

Probably the range filter is smart enough to see min/max values of the shards/segments and early-terminate the query ?

Still, the shard would need to do some type of processing even with early-terminate, so better to restrict number of indexes that you're querying.

BradVido · July 25, 2018, 8:03pm

I may be mixing "rollover" into this as well, interesting read: https://www.elastic.co/blog/managing-time-based-indices-efficiently

system · August 22, 2018, 8:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.