Query using Runtime Field

jkulcsar · February 10, 2022, 3:44pm

Hello all

I've added a runtime field to my logstash indexes to concatenate two fields on the fly (in this context: the Model and Serial Number of a product):

PUT logstash-*/_mapping
{
  "runtime": {
    "m_s_unique_id": {
      "type": "keyword",
      "script": {
        "source": """
        if(doc['Model.keyword'].size()!=0 && doc['SerNr.keyword'].size()!=0) {
          emit(doc['Model.keyword'].value + '-' + doc['SerNr.keyword'].value); 
        }
        else {
          emit("noid");
        }
        """
      }
    }
  }
}

I can see the runtime field in Discover.
When I run a simple query however (looking for an ID that's visible in Discover), the query is very slow and eventually times out:

GET logstash-*/_search
{
   "fields": [
    "m_s_unique_id"
  ],
  "query": {
    "match": {
      "m_s_unique_id": "AAA-123456789"
    }
  }
}

Is this expected or am I doing something wrong?

Any help or hints are much appreciated.

Tomo_M · February 10, 2022, 5:24pm

Yes expected. Runtime field are calculated at query time, in your case, full index.

system · March 10, 2022, 5:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Query in Runtime Field Kibana	1	165	June 16, 2022
Runtime fields not generated Kibana	4	49	August 23, 2024
Runtime field query performance Elasticsearch runtime-fields	1	473	March 9, 2023
How to retrieve fields content when quering runtime fields from Logstasg Logstash	0	63	May 29, 2024
Runtime Fields Elasticsearch runtime-fields	6	324	September 20, 2023

Query using Runtime Field

Related Topics