- Elasticsearch Guide: other versions:
- What is Elasticsearch?
- What’s new in 8.0
- Quick start
- Set up Elasticsearch
- Installing Elasticsearch
- Configuring Elasticsearch
- Important Elasticsearch configuration
- Secure settings
- Auditing settings
- Circuit breaker settings
- Cluster-level shard allocation and routing settings
- Cross-cluster replication settings
- Discovery and cluster formation settings
- Field data cache settings
- Index lifecycle management settings
- Index management settings
- Index recovery settings
- Indexing buffer settings
- License settings
- Local gateway settings
- Logging
- Machine learning settings
- Monitoring settings
- Node
- Networking
- Node query cache settings
- Search settings
- Security settings
- Shard request cache settings
- Snapshot and restore settings
- Transforms settings
- Thread pools
- Watcher settings
- Advanced configuration
- Important system configuration
- Bootstrap Checks
- Heap size check
- File descriptor check
- Memory lock check
- Maximum number of threads check
- Max file size check
- Maximum size virtual memory check
- Maximum map count check
- Client JVM check
- Use serial collector check
- System call filter check
- OnError and OnOutOfMemoryError checks
- Early-access check
- G1GC check
- All permission check
- Discovery configuration check
- Bootstrap Checks for X-Pack
- Starting Elasticsearch
- Stopping Elasticsearch
- Discovery and cluster formation
- Add and remove nodes in your cluster
- Full-cluster restart and rolling restart
- Remote clusters
- Plugins
- Upgrade Elasticsearch
- Index modules
- Mapping
- Text analysis
- Overview
- Concepts
- Configure text analysis
- Built-in analyzer reference
- Tokenizer reference
- Token filter reference
- Apostrophe
- ASCII folding
- CJK bigram
- CJK width
- Classic
- Common grams
- Conditional
- Decimal digit
- Delimited payload
- Dictionary decompounder
- Edge n-gram
- Elision
- Fingerprint
- Flatten graph
- Hunspell
- Hyphenation decompounder
- Keep types
- Keep words
- Keyword marker
- Keyword repeat
- KStem
- Length
- Limit token count
- Lowercase
- MinHash
- Multiplexer
- N-gram
- Normalization
- Pattern capture
- Pattern replace
- Phonetic
- Porter stem
- Predicate script
- Remove duplicates
- Reverse
- Shingle
- Snowball
- Stemmer
- Stemmer override
- Stop
- Synonym
- Synonym graph
- Trim
- Truncate
- Unique
- Uppercase
- Word delimiter
- Word delimiter graph
- Character filters reference
- Normalizers
- Index templates
- Data streams
- Ingest pipelines
- Example: Parse logs
- Enrich your data
- Processor reference
- Append
- Bytes
- Circle
- Community ID
- Convert
- CSV
- Date
- Date index name
- Dissect
- Dot expander
- Drop
- Enrich
- Fail
- Fingerprint
- Foreach
- GeoIP
- Grok
- Gsub
- HTML strip
- Inference
- Join
- JSON
- KV
- Lowercase
- Network direction
- Pipeline
- Registered domain
- Remove
- Rename
- Script
- Set
- Set security user
- Sort
- Split
- Trim
- Uppercase
- URL decode
- URI parts
- User agent
- Aliases
- Search your data
- Collapse search results
- Filter search results
- Highlighting
- Long-running searches
- Near real-time search
- Paginate search results
- Retrieve inner hits
- Retrieve selected fields
- Search across clusters
- Search multiple data streams and indices
- Search shard routing
- Search templates
- Sort search results
- kNN search
- Query DSL
- Aggregations
- Bucket aggregations
- Adjacency matrix
- Auto-interval date histogram
- Categorize text
- Children
- Composite
- Date histogram
- Date range
- Diversified sampler
- Filter
- Filters
- Geo-distance
- Geohash grid
- Geotile grid
- Global
- Histogram
- IP range
- Missing
- Multi Terms
- Nested
- Parent
- Range
- Rare terms
- Reverse nested
- Sampler
- Significant terms
- Significant text
- Terms
- Variable width histogram
- Subtleties of bucketing range fields
- Metrics aggregations
- Pipeline aggregations
- Average bucket
- Bucket script
- Bucket count K-S test
- Bucket correlation
- Bucket selector
- Bucket sort
- Cumulative cardinality
- Cumulative sum
- Derivative
- Extended stats bucket
- Inference bucket
- Max bucket
- Min bucket
- Moving function
- Moving percentiles
- Normalize
- Percentiles bucket
- Serial differencing
- Stats bucket
- Sum bucket
- Bucket aggregations
- EQL
- SQL
- Overview
- Getting Started with SQL
- Conventions and Terminology
- Security
- SQL REST API
- SQL Translate API
- SQL CLI
- SQL JDBC
- SQL ODBC
- SQL Client Applications
- SQL Language
- Functions and Operators
- Comparison Operators
- Logical Operators
- Math Operators
- Cast Operators
- LIKE and RLIKE Operators
- Aggregate Functions
- Grouping Functions
- Date/Time and Interval Functions and Operators
- Full-Text Search Functions
- Mathematical Functions
- String Functions
- Type Conversion Functions
- Geo Functions
- Conditional Functions And Expressions
- System Functions
- Reserved keywords
- SQL Limitations
- Scripting
- Data management
- ILM: Manage the index lifecycle
- Overview
- Concepts
- Automate rollover
- Tutorial: Customize built-in policies
- Index lifecycle actions
- Configure a lifecycle policy
- Migrate index allocation filters to node roles
- Troubleshooting index lifecycle management errors
- Start and stop index lifecycle management
- Manage existing indices
- Skip rollover
- Restore a managed data stream or index
- Autoscaling
- Monitor a cluster
- Roll up or transform your data
- Set up a cluster for high availability
- Snapshot and restore
- Secure the Elastic Stack
- Elasticsearch security principles
- Start the Elastic Stack with security enabled
- Configure security
- Updating node security certificates
- User authentication
- Built-in users
- Service accounts
- Internal users
- Token-based authentication services
- Realms
- Realm chains
- Active Directory user authentication
- File-based user authentication
- LDAP user authentication
- Native user authentication
- OpenID Connect authentication
- PKI user authentication
- SAML authentication
- Kerberos authentication
- Integrating with other authentication systems
- Enabling anonymous access
- Controlling the user cache
- Configuring SAML single-sign-on on the Elastic Stack
- Configuring single sign-on to the Elastic Stack using OpenID Connect
- User authorization
- Built-in roles
- Defining roles
- Security privileges
- Document level security
- Field level security
- Granting privileges for data streams and aliases
- Mapping users and groups to roles
- Setting up field and document level security
- Submitting requests on behalf of other users
- Configuring authorization delegation
- Customizing roles and authorization
- Enable audit logging
- Restricting connections with IP filtering
- Securing clients and integrations
- Operator privileges
- Troubleshooting
- Some settings are not returned via the nodes settings API
- Authorization exceptions
- Users command fails due to extra arguments
- Users are frequently locked out of Active Directory
- Certificate verification fails for curl on Mac
- SSLHandshakeException causes connections to fail
- Common SSL/TLS exceptions
- Common Kerberos exceptions
- Common SAML issues
- Internal Server Error in Kibana
- Setup-passwords command fails due to connection failure
- Failures due to relocation of the configuration files
- Limitations
- Watcher
- Command line tools
- elasticsearch-certgen
- elasticsearch-certutil
- elasticsearch-create-enrollment-token
- elasticsearch-croneval
- elasticsearch-keystore
- elasticsearch-node
- elasticsearch-reconfigure-node
- elasticsearch-reset-password
- elasticsearch-saml-metadata
- elasticsearch-service-tokens
- elasticsearch-setup-passwords
- elasticsearch-shard
- elasticsearch-syskeygen
- elasticsearch-users
- How to
- REST APIs
- API conventions
- Common options
- REST API compatibility
- Autoscaling APIs
- Compact and aligned text (CAT) APIs
- cat aliases
- cat allocation
- cat anomaly detectors
- cat count
- cat data frame analytics
- cat datafeeds
- cat fielddata
- cat health
- cat indices
- cat master
- cat nodeattrs
- cat nodes
- cat pending tasks
- cat plugins
- cat recovery
- cat repositories
- cat segments
- cat shards
- cat snapshots
- cat task management
- cat templates
- cat thread pool
- cat trained model
- cat transforms
- Cluster APIs
- Cluster allocation explain
- Cluster get settings
- Cluster health
- Cluster reroute
- Cluster state
- Cluster stats
- Cluster update settings
- Nodes feature usage
- Nodes hot threads
- Nodes info
- Nodes reload secure settings
- Nodes stats
- Pending cluster tasks
- Remote cluster info
- Task management
- Voting configuration exclusions
- Cross-cluster replication APIs
- Data stream APIs
- Document APIs
- Enrich APIs
- EQL APIs
- Features APIs
- Fleet APIs
- Find structure API
- Graph explore API
- Index APIs
- Alias exists
- Aliases
- Analyze
- Analyze index disk usage
- Clear cache
- Clone index
- Close index
- Create index
- Create or update alias
- Create or update component template
- Create or update index template
- Create or update index template (legacy)
- Delete component template
- Delete dangling index
- Delete alias
- Delete index
- Delete index template
- Delete index template (legacy)
- Exists
- Field usage stats
- Flush
- Force merge
- Get alias
- Get component template
- Get field mapping
- Get index
- Get index settings
- Get index template
- Get index template (legacy)
- Get mapping
- Import dangling index
- Index recovery
- Index segments
- Index shard stores
- Index stats
- Index template exists (legacy)
- List dangling indices
- Open index
- Refresh
- Resolve index
- Rollover
- Shrink index
- Simulate index
- Simulate template
- Split index
- Unfreeze index
- Update index settings
- Update mapping
- Index lifecycle management APIs
- Create or update lifecycle policy
- Get policy
- Delete policy
- Move to step
- Remove policy
- Retry policy
- Get index lifecycle management status
- Explain lifecycle
- Start index lifecycle management
- Stop index lifecycle management
- Migrate indices, ILM policies, and legacy, composable and component templates to data tiers routing
- Ingest APIs
- Info API
- Licensing APIs
- Logstash APIs
- Machine learning APIs
- Machine learning anomaly detection APIs
- Add events to calendar
- Add jobs to calendar
- Close jobs
- Create jobs
- Create calendars
- Create datafeeds
- Create filters
- Delete calendars
- Delete datafeeds
- Delete events from calendar
- Delete filters
- Delete forecasts
- Delete jobs
- Delete jobs from calendar
- Delete model snapshots
- Delete expired data
- Estimate model memory
- Flush jobs
- Forecast jobs
- Get buckets
- Get calendars
- Get categories
- Get datafeeds
- Get datafeed statistics
- Get influencers
- Get jobs
- Get job statistics
- Get model snapshots
- Get model snapshot upgrade statistics
- Get overall buckets
- Get scheduled events
- Get filters
- Get records
- Open jobs
- Post data to jobs
- Preview datafeeds
- Reset jobs
- Revert model snapshots
- Start datafeeds
- Stop datafeeds
- Update datafeeds
- Update filters
- Update jobs
- Update model snapshots
- Upgrade model snapshots
- Machine learning data frame analytics APIs
- Create data frame analytics jobs
- Delete data frame analytics jobs
- Evaluate data frame analytics
- Explain data frame analytics
- Get data frame analytics jobs
- Get data frame analytics jobs stats
- Preview data frame analytics
- Start data frame analytics jobs
- Stop data frame analytics jobs
- Update data frame analytics jobs
- Machine learning trained model APIs
- Create or update trained model aliases
- Create part of a trained model
- Create trained models
- Create trained model vocabulary
- Delete trained model aliases
- Delete trained models
- Get trained models
- Get trained models stats
- Infer trained model deployment
- Start trained model deployment
- Stop trained model deployment
- Migration APIs
- Node lifecycle APIs
- Reload search analyzers API
- Repositories metering APIs
- Rollup APIs
- Script APIs
- Search APIs
- Searchable snapshots APIs
- Security APIs
- Authenticate
- Change passwords
- Clear cache
- Clear roles cache
- Clear privileges cache
- Clear API key cache
- Clear service account token caches
- Create API keys
- Create or update application privileges
- Create or update role mappings
- Create or update roles
- Create or update users
- Create service account tokens
- Delegate PKI authentication
- Delete application privileges
- Delete role mappings
- Delete roles
- Delete service account token
- Delete users
- Disable users
- Enable users
- Enroll Kibana
- Enroll node
- Get API key information
- Get application privileges
- Get builtin privileges
- Get role mappings
- Get roles
- Get service accounts
- Get service account credentials
- Get token
- Get user privileges
- Get users
- Grant API keys
- Has privileges
- Invalidate API key
- Invalidate token
- OpenID Connect prepare authentication
- OpenID Connect authenticate
- OpenID Connect logout
- Query API key information
- SAML prepare authentication
- SAML authenticate
- SAML logout
- SAML invalidate
- SAML complete logout
- SAML service provider metadata
- SSL certificate
- Snapshot and restore APIs
- Snapshot lifecycle management APIs
- SQL APIs
- Transform APIs
- Usage API
- Watcher APIs
- Definitions
- Migration guide
- Release notes
- Dependencies and versions
Index modules
editIndex modules
editIndex Modules are modules created per index and control all aspects related to an index.
Index Settings
editIndex level settings can be set per-index. Settings may be:
- static
- They can only be set at index creation time or on a closed index.
- dynamic
- They can be changed on a live index using the update-index-settings API.
Changing static or dynamic index settings on a closed index could result in incorrect settings that are impossible to rectify without deleting and recreating the index.
Static index settings
editBelow is a list of all static index settings that are not associated with any specific index module:
-
index.number_of_shards
-
The number of primary shards that an index should have. Defaults to
1
. This setting can only be set at index creation time. It cannot be changed on a closed index.The number of shards are limited to
1024
per index. This limitation is a safety limit to prevent accidental creation of indices that can destabilize a cluster due to resource allocation. The limit can be modified by specifyingexport ES_JAVA_OPTS="-Des.index.max_number_of_shards=128"
system property on every node that is part of the cluster.
-
index.number_of_routing_shards
-
Integer value used with
index.number_of_shards
to route documents to a primary shard. See_routing
field.Elasticsearch uses this value when splitting an index. For example, a 5 shard index with
number_of_routing_shards
set to30
(5 x 2 x 3
) could be split by a factor of2
or3
. In other words, it could be split as follows:-
5
→10
→30
(split by 2, then by 3) -
5
→15
→30
(split by 3, then by 2) -
5
→30
(split by 6)
This setting’s default value depends on the number of primary shards in the index. The default is designed to allow you to split by factors of 2 up to a maximum of 1024 shards.
In Elasticsearch 7.0.0 and later versions, this setting affects how documents are distributed across shards. When reindexing an older index with custom routing, you must explicitly set
index.number_of_routing_shards
to maintain the same document distribution. See the related breaking change. -
-
index.codec
-
The
default
value compresses stored data with LZ4 compression, but this can be set tobest_compression
which uses DEFLATE for a higher compression ratio, at the expense of slower stored fields performance. If you are updating the compression type, the new one will be applied after segments are merged. Segment merging can be forced using force merge. Experiments with indexing log datasets have shown thatbest_compression
gives up to ~18% lower storage usage in the most ideal scenario compared todefault
while only minimally affecting indexing throughput (~2%). -
index.routing_partition_size
-
The number of shards a custom routing value can go to.
Defaults to 1 and can only be set at index creation time. This value must be less
than the
index.number_of_shards
unless theindex.number_of_shards
value is also 1. See Routing to an index partition for more details about how this setting is used.
-
index.soft_deletes.enabled
-
[7.6.0]
Deprecated in 7.6.0. Creating indices with soft-deletes disabled is deprecated and will be removed in future Elasticsearch versions.
Indicates whether soft deletes are enabled on the index. Soft deletes can only
be configured at index creation and only on indices created on or after
Elasticsearch 6.5.0. Defaults to
true
.
-
index.soft_deletes.retention_lease.period
-
The maximum period to retain a shard history retention lease before it is
considered expired. Shard history retention leases ensure that soft deletes are
retained during merges on the Lucene index. If a soft delete is merged away
before it can be replicated to a follower the following process will fail due
to incomplete history on the leader. Defaults to
12h
. -
index.load_fixed_bitset_filters_eagerly
-
Indicates whether cached filters are pre-loaded for
nested queries. Possible values are
true
(default) andfalse
. -
index.shard.check_on_startup
-
Expert users only. This setting enables some very expensive processing at shard startup and is only ever useful while diagnosing a problem in your cluster. If you do use it, you should do so only temporarily and remove it once it is no longer needed.
Elasticsearch automatically performs integrity checks on the contents of shards at various points during their lifecycle. For instance, it verifies the checksum of every file transferred when recovering a replica or taking a snapshot. It also verifies the integrity of many important files when opening a shard, which happens when starting up a node and when finishing a shard recovery or relocation. You can therefore manually verify the integrity of a whole shard while it is running by taking a snapshot of it into a fresh repository or by recovering it onto a fresh node.
This setting determines whether Elasticsearch performs additional integrity checks while opening a shard. If these checks detect corruption then they will prevent the shard from being opened. It accepts the following values:
-
false
- Don’t perform additional checks for corruption when opening a shard. This is the default and recommended behaviour.
-
checksum
- Verify that the checksum of every file in the shard matches its contents. This will detect cases where the data read from disk differ from the data that Elasticsearch originally wrote, for instance due to undetected disk corruption or other hardware failures. These checks require reading the entire shard from disk which takes substantial time and IO bandwidth and may affect cluster performance by evicting important data from your filesystem cache.
-
true
-
Performs the same checks as
checksum
and also checks for logical inconsistencies in the shard, which could for instance be caused by the data being corrupted while it was being written due to faulty RAM or other hardware failures. These checks require reading the entire shard from disk which takes substantial time and IO bandwidth, and then performing various checks on the contents of the shard which take substantial time, CPU and memory.
-
Dynamic index settings
editBelow is a list of all dynamic index settings that are not associated with any specific index module:
-
index.auto_expand_replicas
-
Auto-expand the number of replicas based on the number of data nodes in the cluster. Set to a dash delimited lower and upper bound (e.g.
0-5
) or useall
for the upper bound (e.g.0-all
). Defaults tofalse
(i.e. disabled). Note that the auto-expanded number of replicas only takes allocation filtering rules into account, but ignores other allocation rules such as total shards per node, and this can lead to the cluster health becomingYELLOW
if the applicable rules prevent all the replicas from being allocated.If the upper bound is
all
then shard allocation awareness andcluster.routing.allocation.same_shard.host
are ignored for this index.
-
index.search.idle.after
-
How long a shard can not receive a search or get request until it’s considered
search idle. (default is
30s
)
-
index.refresh_interval
-
How often to perform a refresh operation, which makes recent changes to the
index visible to search. Defaults to
1s
. Can be set to-1
to disable refresh. If this setting is not explicitly set, shards that haven’t seen search traffic for at leastindex.search.idle.after
seconds will not receive background refreshes until they receive a search request. Searches that hit an idle shard where a refresh is pending will wait for the next background refresh (within1s
). This behavior aims to automatically optimize bulk indexing in the default case when no searches are performed. In order to opt out of this behavior an explicit value of1s
should set as the refresh interval.
-
index.max_result_window
-
The maximum value of
from + size
for searches to this index. Defaults to10000
. Search requests take heap memory and time proportional tofrom + size
and this limits that memory. See Scroll or Search After for a more efficient alternative to raising this. -
index.max_inner_result_window
-
The maximum value of
from + size
for inner hits definition and top hits aggregations to this index. Defaults to100
. Inner hits and top hits aggregation take heap memory and time proportional tofrom + size
and this limits that memory. -
index.max_rescore_window
-
The maximum value of
window_size
forrescore
requests in searches of this index. Defaults toindex.max_result_window
which defaults to10000
. Search requests take heap memory and time proportional tomax(window_size, from + size)
and this limits that memory. -
index.max_docvalue_fields_search
-
The maximum number of
docvalue_fields
that are allowed in a query. Defaults to100
. Doc-value fields are costly since they might incur a per-field per-document seek. -
index.max_script_fields
-
The maximum number of
script_fields
that are allowed in a query. Defaults to32
.
-
index.max_ngram_diff
-
The maximum allowed difference between min_gram and max_gram for NGramTokenizer and NGramTokenFilter.
Defaults to
1
.
-
index.max_shingle_diff
-
The maximum allowed difference between max_shingle_size and min_shingle_size
for the
shingle
token filter. Defaults to3
. -
index.max_refresh_listeners
-
Maximum number of refresh listeners available on each shard of the index.
These listeners are used to implement
refresh=wait_for
. -
index.analyze.max_token_count
-
The maximum number of tokens that can be produced using _analyze API.
Defaults to
10000
.
-
index.highlight.max_analyzed_offset
-
The maximum number of characters that will be analyzed for a highlight request.
This setting is only applicable when highlighting is requested on a text that was indexed without offsets or term vectors.
Defaults to
1000000
.
-
index.max_terms_count
-
The maximum number of terms that can be used in Terms Query.
Defaults to
65536
.
-
index.max_regex_length
-
The maximum length of regex that can be used in Regexp Query.
Defaults to
1000
.
-
index.query.default_field
-
(string or array of strings) Wildcard (
*
) patterns matching one or more fields. The following query types search these matching fields by default:Defaults to
*
, which matches all fields eligible for term-level queries, excluding metadata fields. -
index.routing.allocation.enable
-
Controls shard allocation for this index. It can be set to:
-
all
(default) - Allows shard allocation for all shards. -
primaries
- Allows shard allocation only for primary shards. -
new_primaries
- Allows shard allocation only for newly-created primary shards. -
none
- No shard allocation is allowed.
-
-
index.routing.rebalance.enable
-
Enables shard rebalancing for this index. It can be set to:
-
all
(default) - Allows shard rebalancing for all shards. -
primaries
- Allows shard rebalancing only for primary shards. -
replicas
- Allows shard rebalancing only for replica shards. -
none
- No shard rebalancing is allowed.
-
-
index.gc_deletes
-
The length of time that a deleted document’s version number remains available for further versioned operations.
Defaults to
60s
.
-
index.default_pipeline
-
Default ingest pipeline for the index. Index requests will fail
if the default pipeline is set and the pipeline does not exist. The default may be
overridden using the
pipeline
parameter. The special pipeline name_none
indicates no ingest pipeline should be run.
-
index.final_pipeline
-
Final ingest pipeline for the index. Indexing requests will fail if the final pipeline is set and the pipeline does not exist. The final pipeline always runs after the request pipeline (if specified) and the default pipeline (if it exists). The special pipeline name
_none
indicates no ingest pipeline will run.You can’t use a final pipeline to change the
_index
field. If the pipeline attempts to change the_index
field, the indexing request will fail. -
index.hidden
-
Indicates whether the index should be hidden by default. Hidden indices are not
returned by default when using a wildcard expression. This behavior is controlled
per request through the use of the
expand_wildcards
parameter. Possible values aretrue
andfalse
(default).
Settings in other index modules
editOther index settings are available in index modules:
- Analysis
- Settings to define analyzers, tokenizers, token filters and character filters.
- Index shard allocation
- Control over where, when, and how shards are allocated to nodes.
- Mapping
- Enable or disable dynamic mapping for an index.
- Merging
- Control over how shards are merged by the background merge process.
- Similarities
- Configure custom similarity settings to customize how search results are scored.
- Slowlog
- Control over how slow queries and fetch requests are logged.
- Store
- Configure the type of filesystem used to access shard data.
- Translog
- Control over the transaction log and background flush operations.
- History retention
- Control over the retention of a history of operations in the index.
- Indexing pressure
- Configure indexing back pressure limits.
X-Pack index settings
edit- Index lifecycle management
- Specify the lifecycle policy and rollover alias for an index.
On this page