I Have to perform two aggregation let's say
query1 =
{
"aggs": {
"traffic": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "30s",
"time_zone": "Asia/Calcutta",
"min_doc_count": 1
},
"aggs": {
"3": {
"sum": {
"field": "event_count"
}
}
}
}
},
"size": 0,
"query": {
"bool": {
"must": [],
"filter": [
{
"range": {
"@timestamp": {
"gte": "2024-02-07T19:40:25.367Z",
"lte": "2024-02-07T19:55:25.367Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
}
}
query2 =
{
"aggs": {
"org": {
"terms": {
"field": "source_org.keyword",
"order": {
"_count": "desc"
},
"size": 100
},
"aggs": {
"3": {
"top_hits": {
"_source": "source_country_code",
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
},
"4": {
"top_hits": {
"_source": "source_country_name",
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
},
"5": {
"top_hits": {
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"_source": "@timestamp",
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
},
"size": 0,
"query": {
"bool": {
"must": [],
"filter": [
{
"range": {
"@timestamp": {
"gte": "2024-02-07T19:40:25.367Z",
"lte": "2024-02-07T19:55:25.367Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
}
}
and then there is combined query
query_combined =
{
"aggs": {
"traffic": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "30s",
"time_zone": "Asia/Calcutta",
"min_doc_count": 1
},
"aggs": {
"3": {
"sum": {
"field": "event_count"
}
}
}
},
"org": {
"terms": {
"field": "source_org.keyword",
"order": {
"_count": "desc"
},
"size": 100
},
"aggs": {
"3": {
"top_hits": {
"_source": "source_country_code",
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
},
"4": {
"top_hits": {
"_source": "source_country_name",
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
},
"5": {
"top_hits": {
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"_source": "@timestamp",
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
},
"size": 0,
"query": {
"bool": {
"must": [],
"filter": [
{
"range": {
"@timestamp": {
"gte": "2024-02-07T19:40:25.367Z",
"lte": "2024-02-07T19:55:25.367Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
}
}
now what i have elasticsearch cluster with 5 coordination nodes
which scenario will perform better
1 = (query1 + query2) search/msearch api
2 = query_combined with search api
what i think query_combined will perform better because filters are same so the document fetched and collected at coordination node will be same it will be done only time and after that both aggregation can be done while in sending separate query it will fetch same data twice from data nodes.
query_combined may have some more cpu utilization but it is Okay from my side but memory is limited due to heap size restricted to 32GB ( threshold for curcuit breaker )
Please comment which scenario will perform better.