All of my documents holds a 'severity' field with only 4 possible values: LOW, MED, HIGH, CRITICAL
The document have much more fields such as timestamp, IP, port, message
The opearions that I perform on 'severity' are:
- Count by 'severity' aggregate by last: day, week, month
- Get all events with 'severiry'== aggregate by last: day, week, month
Is there any sense in dropping the field and having an index per 'severity'? As far as I can tell, this approach:
- Will not have improved query performance. After all, I still need to traverse all shards over 4 'severity'indices
- Indexing should be faster? Not sure. I think there should be no performance gain
- Reverse Index memory footprint should decrease as I will have 1 less, very common, term in my reverse index
Marking 'severity' as stop term seems problematic due to the term usage in queries.
Since the severity have low cardinality, do I need to take particular considerations when designing my index or mappings?