About me:
ES: 6.5.4
X-PACK Document Security on all indexes
200TB of date based indexes
Multi-tenant environment
7 days of data on Hot data nodes
180 days in Warm data nodes
Question:
If I have a user log into Kibana Discover, select time range of "last 15 minutes", and then do a wildcard search like * log * (had to put spaces in there for this forum), it then searches all indexes (ie. dates other than today). I can tell this through slow query logs, hot threads, and the fact that the warm nodes peg CPU and Disk I/O (warm nodes have indexes with dates > 7 days).
Am I misunderstanding how date filters work? I assumed an index would not be searched if it contained no data within the time range selected. I may also have the same issue with non-wildcard queries, but it's hard to tell with those since the queries return too fast and are not impacting the cluster.
Thank you for the help!