Search not adhering to time limits - searching many indexes

P_Larsen · June 1, 2021, 4:55pm

We have a search that we see running that has a time limit what appears to be 4 mins set but it is accessing indexes from way back in the past.

What could be the issue?

Grabbed from listing running tasks

indices:data/read/search                                X8wgBzzzzzzz4Cd6Q:17202619082 -                                  transport 1622555336427 13:48:56 625.3ms     10.1.00.00 elk-hot-1    indices[index-zero-000758,index-zero-000759,index-zero-000754,index-zero-000755,index-zero-000756,index-zero-000757,index-zero-000750,index-zero-000751,index-zero-000752,index-zero-000753,index-zero-000590,index-zero-000747,index-zero-000748,index-zero-000749,index-zero-000743,index-zero-000744,index-zero-000745,index-zero-000746,index-zero-000740,index-zero-000741,index-zero-000742,index-zero-000772,index-zero-000773,index-zero-000770,index-zero-000771,index-zero-000769,index-zero-000765,index-zero-000766,index-zero-000767,index-zero-000768,index-zero-000761,index-zero-000762,index-zero-000763,index-zero-000764,index-zero-000760,index-zero-000718,index-zero-000719,index-zero-000714,index-zero-000715,index-zero-000716,index-zero-000717,index-zero-000710,index-zero-000677,index-zero-000711,index-zero-000678,index-zero-000712,index-zero-000679,index-zero-000713,index-zero-000673,index-zero-000674,index-zero-000675,index-zero-000676,index-zero-000670,index-zero-000671,index-zero-000672,index-zero-000707,index-zero-000708,index-zero-000709,index-zero-000703,index-zero-000704,index-zero-000705,index-zero-000706,index-zero-000700,index-zero-000701,index-zero-000702,index-zero-000736,index-zero-000737,index-zero-000738,index-zero-000739,index-zero-000732,index-zero-000699,index-zero-000733,index-zero-000734,index-zero-000735,index-zero-000695,index-zero-000696,index-zero-000730,index-zero-000697,index-zero-000731,index-zero-000698,index-zero-000691,index-zero-000692,index-zero-000693,index-zero-000694,index-zero-000690,index-zero-000729,index-zero-000725,index-zero-000726,index-zero-000727,index-zero-000728,index-zero-000721,index-zero-000688,index-zero-000722,index-zero-000689,index-zero-000723,index-zero-000724,index-zero-000684,index-zero-000685,index-zero-000686,index-zero-000720,index-zero-000687,index-zero-000680,index-zero-000681,index-zero-000682,index-zero-000683], types[], search_type[QUERY_THEN_FETCH], scroll[5m], source[{"size":1000,"query":{"bool":{"must":[{"term":{"device_name.keyword":{"value":"abcde-cd","boost":1.0}}},{"term":{"command_name.keyword":{"value":"interface_stats","boost":1.0}}},{"term":{"interface_stats.admin_state":{"value":1,"boost":1.0}}},{"range":{"@timestamp":{"from":"now-4m","to":"now","include_lower":true,"include_upper":false,"boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}},"sort":[{"_doc":{"order":"asc"}}]}]

warkolm · June 2, 2021, 2:03am

Can you elaborate a little more on this please. Are you saying there's a query with a timestamp range query of the last 4 minutes?

P_Larsen · June 2, 2021, 2:13pm

Based on the task it lists last for mins but lists all the indexes matching the pattern.
Does it still list all the indexes matching the pattern but does not actually access them?
The output is just a bit confusing. If elastic is listing all the indexes for 4 weeks but still only READS/accesses the last 4 minutes then that would make sense and the long list of indexes is irrelevant.

warkolm · June 2, 2021, 11:14pm

It checks the indexes that match the pattern to see if it needs to run the actual query. That's probably what you are seeing.

system · June 30, 2021, 11:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.