Optimize search speed / resource usage by writing good queries?

Elastic Stack Kibana
#1

Hi,

I would like to increase my the search speed in kibana.
Since I am not that familar with lucene indexes / elasticsearch yet, I would like to ask you for your opinion.

Searching is real easy via kibana. Just type in a word and all events containing the word are given back.
Now my events have several fields, just like type, payload, message, username, etc.
For example, if I am searching for a username, does it improve the speed if I search for:
username: xyz instead of searching for xyz?

I mean, now ES would know, that it only needs to search within that field, but I am not sure, if the indexing is based on fields or on top level of the document.

I just want to optimize my saved queries and want to give the other team members hints to query as resource nicest as possible :wink:

PS:
I am aware of the fact, that I may get also additional events, where the username may occur in a different filed, if not setting the filter for the name. Just think of an example where xyz is ONLY found in the username.
Thanks Andreas

Performance different if searching on normal or keyword field?
#2

@asp specifying the field that you are searching for text within will generally increase performance. When you don't specify a field, it uses the Default Field of the index which defaults to _all.

The difference in performance between the two really depends on your data. To see how your queries are performing, you can use the "Spy Panel" highlighted below

Screen Shot 2017-03-16 at 6.55.14 AM.png3122×968 185 KB

which will show you the Request that is executed against Elasticsearch

Screen Shot 2017-03-16 at 6.55.49 AM.png3118×966 185 KB

and some pertinent Stats, particularly the Request duration

Screen Shot 2017-03-16 at 6.56.01 AM.png3110×962 182 KB

If you're interested in the performance of a specific query, we have a tool discussed here that will allow you to inspect the specific parts of the query that are taking the most time: https://www.elastic.co/blog/a-profile-a-day-keeps-the-doctor-away-the-elasticsearch-search-profiler

#3

thanks a lot for the reply.

Then I can write some guidelines for my team, how to use queries the best way.
Also the profiler looks very interesting.

Time to download the xpack basic :wink:

#4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.