Hello,
I wonder how does an elasticsearch query work without a date range?
Is there a default size of the result?
For example, what if I just only use lte for the range. Does query result include all the records from the first record to the lte value?
Regards,
Gizem
Yes.
Thank you @dadoonet.
What if there is no date range? Is giving size better and make faster the query?
If you don't have any query, it's faster. But if you have a query, reducing the number of indices by adding a time filter will also be faster to run the search.
What is exactly your question?
Okey, here is my question: if I define the parameter "size" in the query below, will it be faster? If not how can I make faster that query?
query: { bool: { must: [ { bool: { should: [ { match_phrase: { logTag: LOG1 } } { match_phrase: { logTag: LOG2 } } ] minimum_should_match: 1 } } ] filter: [ { range: { @timestamp: { lte: "2020-10-24T08:19:39.438Z" } } } ] should: [ ] must_not: [ ] } } aggs: { status: { top_hits: { docvalue_fields: [ { field: Severity format: use_field_mapping } ] _source: [ Severity ] size: 1 sort: [ { @timestamp: { order: desc } } ] } } }
If you have only one shard, I don't think it will change a lot. If you have time based indices you might be able to see a difference.
But the best thing to do is to test it 
Okey, thanks...
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.