A data tier is a collection of nodes with the same data role that typically share the same hardware profile:
- Content tier nodes handle the indexing and query load for content such as a product catalog.
- Hot tier nodes handle the indexing load for time series data such as logs or metrics and hold your most recent, most-frequently-accessed data.
- Warm tier nodes hold time series data that is accessed less-frequently and rarely needs to be updated.
- Cold tier nodes hold time series data that is accessed infrequently and not normally updated.
- Frozen tier nodes hold time series data that is accessed rarely and never updated, kept in searchable snapshots.
When you index documents directly to a specific index, they remain on content tier nodes indefinitely.
When you index documents to a data stream, they initially reside on hot tier nodes. You can configure index lifecycle management (ILM) policies to automatically transition your time series data through the hot, warm, and cold tiers according to your performance, resiliency and data retention requirements.
A node’s data role is configured in
For example, the highest-performance nodes in a cluster might be assigned to both the hot and content tiers:
node.roles: ["data_hot", "data_content"]
Data stored in the content tier is generally a collection of items such as a product catalog or article archive. Unlike time series data, the value of the content remains relatively constant over time, so it doesn’t make sense to move it to a tier with different performance characteristics as it ages. Content data typically has long data retention requirements, and you want to be able to retrieve items quickly regardless of how old they are.
Content tier nodes are usually optimized for query performance—they prioritize processing power over IO throughput so they can process complex searches and aggregations and return results quickly. While they are also responsible for indexing, content data is generally not ingested at as high a rate as time series data such as logs and metrics. From a resiliency perspective the indices in this tier should be configured to use one or more replicas.
The content tier is required. System indices and other indices that aren’t part of a data stream are automatically allocated to the content tier.
The hot tier is the Elasticsearch entry point for time series data and holds your most-recent, most-frequently-searched time series data. Nodes in the hot tier need to be fast for both reads and writes, which requires more hardware resources and faster storage (SSDs). For resiliency, indices in the hot tier should be configured to use one or more replicas.
The hot tier is required. New indices that are part of a data stream are automatically allocated to the hot tier.
Time series data can move to the warm tier once it is being queried less frequently than the recently-indexed data in the hot tier. The warm tier typically holds data from recent weeks. Updates are still allowed, but likely infrequent. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. For resiliency, indices in the warm tier should be configured to use one or more replicas.
Once data is no longer being updated, it can move from the warm tier to the cold tier where it stays while being queried infrequently. The cold tier is still a responsive query tier, but data in the cold tier is not normally updated. As data transitions into the cold tier it can be compressed and shrunken. For resiliency, the cold tier can use fully mounted indices of searchable snapshots, eliminating the need for replicas.
Once data is no longer being queried, or being queried rarely, it may move from the cold tier to the frozen tier where it stays for the rest of its life.
The frozen tier uses partially mounted indices to store and load data from a snapshot repository. This reduces local storage and operating costs while still letting you search frozen data. Because Elasticsearch must sometimes fetch frozen data from the snapshot repository, searches on the frozen tier are typically slower than on the cold tier.
We recommend you use dedicated nodes in the frozen tier.
Data tier index allocationedit
When you create an index, by default Elasticsearch sets
data_content to automatically allocate the index shards to the content tier.
When Elasticsearch creates an index as part of a data stream,
by default Elasticsearch sets
data_hot to automatically allocate the index shards to the hot tier.
You can override the automatic tier-based allocation by specifying shard allocation filtering settings in the create index request or index template that matches the new index.
You can also explicitly set
to opt out of the default tier-based allocation.
If you set the tier preference to
null, Elasticsearch ignores the data tier roles during allocation.
Automatic data tier migrationedit
ILM automatically transitions managed indices through the available data tiers using the migrate action. By default, this action is automatically injected in every phase. You can explicitly specify the migrate action to override the default behavior, or use the allocate action to manually specify allocation rules.
Intro to Kibana
ELK for Logs & Metrics