We recently upgraded our ELK stack from 5.6.6. to 6.2.3
In 5.6.6 with the _all field enabled if a user didn't specify a field, the query would hit the _all field and get the results
In 6.2.3 with the _all field disabled, if a user doesn't specify a field, elasticsearch looks at all the fields. This results in a significant increase in query time and search thread pools being more saturated.
Has anyone faced a similar issue?
Is these a way to block searches where a key field is not specified?
You can get back to a similar behavior if you copy_to the fields into a custom "all" field. Should have a similar level of performance too.
I'm assuming your referring to query_string queries? I don't believe there is a way to forbid "field-less" queries. But you can set the default_field to a specific field (which may be empty) as a way to prevent hitting all the fields. Or you can configure the index.query.default_field index setting to point to a specific field so you don't have to modify the query itself.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.