Hi everybody
I have 3 different indices, A, B and C
A and B both sharing a field suppose F1
B and C also sharing another field suppose F2
I've added 3 different saved search to a dash board. So when I want to search something from F1 A and B saved search displaying results but not C. How can I connect also the C shows the results depending on F1 and connecting using F2.
Thanks
Does your data view/index pattern match all three indices?
How can I connect also the C shows the results depending on F1 and connecting using F2.
How do F1 and F2 relate? Could you please explain this in more detail?
This sort of thing isn't really possible currently, especially if the documents are in separate indices. If they were in a shared index, you might be able to accomplish it using join fields.
Every index needs to have all fields you want to filter on. This can get achieved by using enrichment
I've tried enrichment already but the enrichment index is static, and the all the indeces are datasteams and continously having new documents...
Having new documents all the time is not an issue. The important question is how often you have new IDs.. In your case index B seems to know all the relationships. This one can be used. You only need to re-execute the enrichment policy every now and then. This works best with watcher. I've made this already using apm indices and enriching documents with information about the user that is coming in later in the user session. Works fine. Only trade off is that it adds a bit of load to your cluster.
Another option is to use lookup runtime fields. You could lookup from C in B to get F1. And lookup from A in B to get F2. The trade off for this approach is impact on search-performance and I believe not all aggregations are allowed on the fields that you looked up.
Well, I've think about renew the enrichment but the new documnet frequency is high, every second all the indices having about 20-50 documnets, this way loads the cluster too much.
I could't find any way how to search different index using runtime fields. I think it is not possible!
20 - 50 EPS does not sound very much.
This is the documentation for lookup runtime fields
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
