Query using Runtime Field

jkulcsar · February 10, 2022, 3:44pm

Hello all

I've added a runtime field to my logstash indexes to concatenate two fields on the fly (in this context: the Model and Serial Number of a product):

PUT logstash-*/_mapping
{
  "runtime": {
    "m_s_unique_id": {
      "type": "keyword",
      "script": {
        "source": """
        if(doc['Model.keyword'].size()!=0 && doc['SerNr.keyword'].size()!=0) {
          emit(doc['Model.keyword'].value + '-' + doc['SerNr.keyword'].value); 
        }
        else {
          emit("noid");
        }
        """
      }
    }
  }
}

I can see the runtime field in Discover.
When I run a simple query however (looking for an ID that's visible in Discover), the query is very slow and eventually times out:

GET logstash-*/_search
{
   "fields": [
    "m_s_unique_id"
  ],
  "query": {
    "match": {
      "m_s_unique_id": "AAA-123456789"
    }
  }
}

Is this expected or am I doing something wrong?

Any help or hints are much appreciated.

Tomo_M · February 10, 2022, 5:24pm

Yes expected. Runtime field are calculated at query time, in your case, full index.

Topic		Replies	Views
How to retrieve fields content when quering runtime fields from Logstash Logstash	1	107	January 23, 2025
How to access the "fields" field in the Elasticsearch query rule Elastic Observability	1	316	October 27, 2023
Query in Runtime Field Kibana	1	189	June 16, 2022
Runtime fields not generated Kibana	4	169	August 23, 2024
Runtime fields cannot be used when querying ？ Elasticsearch	7	359	August 22, 2022

Query using Runtime Field

Related topics