Hey again. Did the additional explanations clarify things enough?
Just to add more context and explain why this matters to us: on a larger test deployment where we have about 4.5 billion docs over ~70 indices (timestap-sorted) on 4 data nodes (running 7.5 this time, though), we see this for instance...
GET /search_alias/_search
{
"query": {
"range": {
"@timestamp": {
"from": "now-1M/d",
"to": "now+1d/d"
}
}
},
"track_total_hits": false,
"size": 1
}
takes easily 10-15 seconds, while
GET /search_alias/_search
{
"query": {
"match_all": {}
},
"track_total_hits": false,
"size": 1
}
is (obviously?) near instant (~5ms). Same if we request timestamp-sorting of the results. And also similar if we add other filters to the queries.
From profiling, it seems that when doing a range query it has to check for the existence of @timestamp; could this explain why it takes so long?