I'm looking through the documentation regarding the slow log as I'd like to use it troubleshoot some performance issues we've run into. I'm a bit confused about the thresholds that are suggested in the documentation as it seems like they're back to front. For reference, here are the docs I'm referring to: Slow Log | Elasticsearch Guide [8.1] | Elastic.
The search threshold breakdown in that doc is as follows:
index.search.slowlog.threshold.query.warn: 10s
index.search.slowlog.threshold.query.info: 5s
index.search.slowlog.threshold.query.debug: 2s
index.search.slowlog.threshold.query.trace: 500ms
index.search.slowlog.threshold.fetch.warn: 1s
index.search.slowlog.threshold.fetch.info: 800ms
index.search.slowlog.threshold.fetch.debug: 500ms
index.search.slowlog.threshold.fetch.trace: 200ms
This confuses me a little because it seems like it's assigning the "heaviest" logging to the lowest threshold, ie. the threshold that is most likely to be triggered.
To be fair, 200ms might be still a pretty high threshold in a lot of use cases but it still seems like you would want the heaviest logging to be saved for only those requests that are taking a really long time to be fulfilled.
I thought I'd post here because I feel like I may be misunderstanding the rationale behind these thresholds and I'm hoping someone can clarify what the intention is here before I go ahead and implement it in my own setup.