Query Performace Help

ananth · January 12, 2016, 2:55pm

Hi,

We are getting logs from multiple ips thus a single index can have docs from multiple ips.

I need to categorise set of ips into one group. As of now i am using OR query to filter those group logs.

Method1 Example:
(ip1 OR ip2 OR .... OR ip26)

Now i am planning to add one extra field to index say group_name, which has information regarding what are all the ips belonging to this group.(ip1 to ip26 --> group1 and ip27 to ip30 -->group2). Now searching method will change as,

Method2 Example
group_name:group1

I would like to know how much performance gain (index may have 100 million documents) i will get if i migrated to method2 ?

warkolm · January 14, 2016, 7:08am

Hard to say really as there are so many unknowns, but it should be quicker.
You'd be better off testing.

jpountz · January 14, 2016, 9:12am

+1 to what Mark said

ebuildy · January 14, 2016, 12:07pm

You could also use filtered alias (https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-aliases.html#filtered) it performs well and can be cached.

ananth · January 14, 2016, 12:27pm

Adrien/Mark/Thomas Thanks for the suggestions. I will try with test data and report back.

ananth · April 19, 2016, 10:01am

Having one more field(group_name) gives 70% speed improvement tested with 10million docs from 13 unique ips.

Topic		Replies	Views
Searching multiple fields(x,y) in Elasticsearch index "A" for entries in present in a field(z) in different index "B" Elasticsearch	6	1167	July 5, 2017
Multi-field search question? Elasticsearch	6	292	July 6, 2017
Filtering data to different indexes based on source iP Logstash	2	896	February 5, 2019
One index or many indecies for documents in diffrent groups? Elasticsearch	1	384	December 6, 2018
Improving query performance with many filtered aliases Elasticsearch	5	1935	March 1, 2017

Query Performace Help

Related Topics