Query using Runtime Field

jkulcsar · February 10, 2022, 3:44pm

Hello all

I've added a runtime field to my logstash indexes to concatenate two fields on the fly (in this context: the Model and Serial Number of a product):

PUT logstash-*/_mapping
{
  "runtime": {
    "m_s_unique_id": {
      "type": "keyword",
      "script": {
        "source": """
        if(doc['Model.keyword'].size()!=0 && doc['SerNr.keyword'].size()!=0) {
          emit(doc['Model.keyword'].value + '-' + doc['SerNr.keyword'].value); 
        }
        else {
          emit("noid");
        }
        """
      }
    }
  }
}

I can see the runtime field in Discover.
When I run a simple query however (looking for an ID that's visible in Discover), the query is very slow and eventually times out:

GET logstash-*/_search
{
   "fields": [
    "m_s_unique_id"
  ],
  "query": {
    "match": {
      "m_s_unique_id": "AAA-123456789"
    }
  }
}

Is this expected or am I doing something wrong?

Any help or hints are much appreciated.

Tomo_M · February 10, 2022, 5:24pm

Yes expected. Runtime field are calculated at query time, in your case, full index.

system · March 10, 2022, 5:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.