Search across clusters

Search across clusters

Cross-cluster search lets you run a single search request against one or more remote clusters. For example, you can use a cross-cluster search to filter and analyze log data stored on clusters in different data centers.

Supported APIs

The following APIs support cross-cluster search:

Prerequisites

Cross-cluster search examples

Remote cluster setup

The following cluster update settings API request adds three remote clusters: cluster_one, cluster_two, and cluster_three.

  1. PUT _cluster/settings
  2. {
  3. "persistent": {
  4. "cluster": {
  5. "remote": {
  6. "cluster_one": {
  7. "seeds": [
  8. "127.0.0.1:9300"
  9. ]
  10. },
  11. "cluster_two": {
  12. "seeds": [
  13. "127.0.0.1:9301"
  14. ]
  15. },
  16. "cluster_three": {
  17. "seeds": [
  18. "127.0.0.1:9302"
  19. ]
  20. }
  21. }
  22. }
  23. }
  24. }

Search a single remote cluster

In the search request, you specify data streams and indices on a remote cluster as <remote_cluster_name>:<target>` .

The following search API request searches the my-index-000001 index on a single remote cluster, cluster_one.

  1. GET /cluster_one:my-index-000001/_search
  2. {
  3. "query": {
  4. "match": {
  5. "user.id": "kimchy"
  6. }
  7. },
  8. "_source": ["user.id", "message", "http.response.status_code"]
  9. }

The API returns the following response:

  1. {
  2. "took": 150,
  3. "timed_out": false,
  4. "_shards": {
  5. "total": 1,
  6. "successful": 1,
  7. "failed": 0,
  8. "skipped": 0
  9. },
  10. "_clusters": {
  11. "total": 1,
  12. "successful": 1,
  13. "skipped": 0
  14. },
  15. "hits": {
  16. "total" : {
  17. "value": 1,
  18. "relation": "eq"
  19. },
  20. "max_score": 1,
  21. "hits": [
  22. {
  23. "_index": "cluster_one:my-index-000001",
  24. "_type": "_doc",
  25. "_id": "0",
  26. "_score": 1,
  27. "_source": {
  28. "user": {
  29. "id": "kimchy"
  30. },
  31. "message": "GET /search HTTP/1.1 200 1070000",
  32. "http": {
  33. "response":
  34. {
  35. "status_code": 200
  36. }
  37. }
  38. }
  39. }
  40. ]
  41. }
  42. }

The search response body includes the name of the remote cluster in the _index parameter.

Search multiple remote clusters

The following search API request searches the my-index-000001 index on three clusters:

  • Your local cluster
  • Two remote clusters, cluster_one and cluster_two
  1. GET /my-index-000001,cluster_one:my-index-000001,cluster_two:my-index-000001/_search
  2. {
  3. "query": {
  4. "match": {
  5. "user.id": "kimchy"
  6. }
  7. },
  8. "_source": ["user.id", "message", "http.response.status_code"]
  9. }

The API returns the following response:

  1. {
  2. "took": 150,
  3. "timed_out": false,
  4. "num_reduce_phases": 4,
  5. "_shards": {
  6. "total": 3,
  7. "successful": 3,
  8. "failed": 0,
  9. "skipped": 0
  10. },
  11. "_clusters": {
  12. "total": 3,
  13. "successful": 3,
  14. "skipped": 0
  15. },
  16. "hits": {
  17. "total" : {
  18. "value": 3,
  19. "relation": "eq"
  20. },
  21. "max_score": 1,
  22. "hits": [
  23. {
  24. "_index": "my-index-000001",
  25. "_type": "_doc",
  26. "_id": "0",
  27. "_score": 2,
  28. "_source": {
  29. "user": {
  30. "id": "kimchy"
  31. },
  32. "message": "GET /search HTTP/1.1 200 1070000",
  33. "http": {
  34. "response":
  35. {
  36. "status_code": 200
  37. }
  38. }
  39. }
  40. },
  41. {
  42. "_index": "cluster_one:my-index-000001",
  43. "_type": "_doc",
  44. "_id": "0",
  45. "_score": 1,
  46. "_source": {
  47. "user": {
  48. "id": "kimchy"
  49. },
  50. "message": "GET /search HTTP/1.1 200 1070000",
  51. "http": {
  52. "response":
  53. {
  54. "status_code": 200
  55. }
  56. }
  57. }
  58. },
  59. {
  60. "_index": "cluster_two:my-index-000001",
  61. "_type": "_doc",
  62. "_id": "0",
  63. "_score": 1,
  64. "_source": {
  65. "user": {
  66. "id": "kimchy"
  67. },
  68. "message": "GET /search HTTP/1.1 200 1070000",
  69. "http": {
  70. "response":
  71. {
  72. "status_code": 200
  73. }
  74. }
  75. }
  76. }
  77. ]
  78. }
  79. }

This document’s _index parameter doesn’t include a cluster name. This means the document came from the local cluster.

This document came from cluster_one.

This document came from cluster_two.

Optional remote clusters

By default, a cross-cluster search fails if a remote cluster in the request returns an error or is unavailable. Use the skip_unavailable cluster setting to mark a specific remote cluster as optional for cross-cluster search.

If skip_unavailable is true, a cross-cluster search:

  • Skips the remote cluster if its nodes are unavailable during the search. The response’s _cluster.skipped value contains a count of any skipped clusters.
  • Ignores errors returned by the remote cluster, such as errors related to unavailable shards or indices. This can include errors related to search parameters such as allow_no_indices and ignore_unavailable.
  • Ignores the allow_partial_search_results parameter and the related search.default_allow_partial_results cluster setting when searching the remote cluster. This means searches on the remote cluster may return partial results.

The following cluster update settings API request changes cluster_two‘s skip_unavailable setting to true.

  1. PUT _cluster/settings
  2. {
  3. "persistent": {
  4. "cluster.remote.cluster_two.skip_unavailable": true
  5. }
  6. }

If cluster_two is disconnected or unavailable during a cross-cluster search, Elasticsearch won’t include matching documents from that cluster in the final results.

How cross-cluster search handles network delays

Because cross-cluster search involves sending requests to remote clusters, any network delays can impact search speed. To avoid slow searches, cross-cluster search offers two options for handling network delays:

Minimize network roundtrips

By default, Elasticsearch reduces the number of network roundtrips between remote clusters. This reduces the impact of network delays on search speed. However, Elasticsearch can’t reduce network roundtrips for large search requests, such as those including a scroll or inner hits.

See Minimize network roundtrips to learn how this option works.

Don’t minimize network roundtrips

For search requests that include a scroll or inner hits, Elasticsearch sends multiple outgoing and ingoing requests to each remote cluster. You can also choose this option by setting the ccs_minimize_roundtrips parameter to false. While typically slower, this approach may work well for networks with low latency.

See Don’t minimize network roundtrips to learn how this option works.

The vector tile search API always minimizes network roundtrips and doesn’t include the ccs_minimize_roundtrips parameter.

Minimize network roundtrips

Here’s how cross-cluster search works when you minimize network roundtrips.

  1. You send a cross-cluster search request to your local cluster. A coordinating node in that cluster receives and parses the request.

    ccs min roundtrip client request

  2. The coordinating node sends a single search request to each cluster, including the local cluster. Each cluster performs the search request independently, applying its own cluster-level settings to the request.

    ccs min roundtrip cluster search

  3. Each remote cluster sends its search results back to the coordinating node.

    ccs min roundtrip cluster results

  4. After collecting results from each cluster, the coordinating node returns the final results in the cross-cluster search response.

    ccs min roundtrip client response

Don’t minimize network roundtrips

Here’s how cross-cluster search works when you don’t minimize network roundtrips.

  1. You send a cross-cluster search request to your local cluster. A coordinating node in that cluster receives and parses the request.

    ccs min roundtrip client request

  2. The coordinating node sends a search shards API request to each remote cluster.

    ccs min roundtrip cluster search

  3. Each remote cluster sends its response back to the coordinating node. This response contains information about the indices and shards the cross-cluster search request will be executed on.

    ccs min roundtrip cluster results

  4. The coordinating node sends a search request to each shard, including those in its own cluster. Each shard performs the search request independently.

    When network roundtrips aren’t minimized, the search is executed as if all data were in the coordinating node’s cluster. We recommend updating cluster-level settings that limit searches, such as action.search.shard_count.limit, pre_filter_shard_size, and max_concurrent_shard_requests, to account for this. If these limits are too low, the search may be rejected.

    ccs dont min roundtrip shard search

  5. Each shard sends its search results back to the coordinating node.

    ccs dont min roundtrip shard results

  6. After collecting results from each cluster, the coordinating node returns the final results in the cross-cluster search response.

    ccs min roundtrip client response

Supported configurations

To run a cross-cluster search, the local and remote clusters must be compatible as outlined in the following matrix.

For the EQL search API, the local and remote clusters must use the same Elasticsearch version. Local clusters version 7.17.7 or later also support cross-cluster search to remote clusters version 7.15.0 or later.

Version compatibility matrix

Local cluster

Remote cluster

5.0–5.5

5.6

6.0–6.6

6.7

6.8

7.0

7.1–7.17

5.0–5.5

Yes

Yes

No

No

No

No

No

5.6

Yes

Yes

Yes

Yes

Yes

No

No

6.0–6.6

No

Yes

Yes

Yes

Yes

No

No

6.7

No

Yes

Yes

Yes

Yes

Yes

No

6.8

No

Yes

Yes

Yes

Yes

Yes

Yes

7.0

No

No

No

Yes

Yes

Yes

Yes

7.1–7.17

No

No

No

No

Yes

Yes

Yes

Cross-cluster search can also search remote clusters that are being upgraded so long as both the “upgrade from” and “upgrade to” version are compatible with the gateway node.

For example, a coordinating node running Elasticsearch 5.6 can search a remote cluster running Elasticsearch 6.8, but that cluster can not be upgraded to 7.1. In this case you should first upgrade the coordinating node to 7.1 and then upgrade remote cluster.

Running multiple versions of Elasticsearch in the same cluster beyond the duration of an upgrade is not supported.

Only features that exist across all searched clusters are supported. Using a recent feature with a remote cluster where the feature is not supported will result in undefined behavior.