Here are the highlights of what’s new and improved in Elasticsearch 7.14!
Cross-cluster EQL searchedit
In 7.14, we added cross-cluster search support to EQL. Cross-cluster search lets you run an EQL search across one or more remote clusters. See Run an EQL search across clusters.
Async SQL searchedit
We’ve added support for async searches to Elasticsearch SQL. Searches across large data sets or frozen data can take longer to return synchronous results. Async SQL search lets you run these searches in the background instead. See Run an async SQL search.
Transforms: support for top metricsedit
Transforms are now able to support the top metrics aggregation. This improves performance when grouping by many fields. If these fields are descriptive and have the same cardinality (for example, customer first and last name describe their customer_id), then using top metrics significantly reduces the work needed to be done by aggregations. It is also a usability improvement if configuring top or last value, which previously would have required a scripted metric.
Anomaly detection: reset job APIedit
The reset job API makes it easier to start anomaly detection jobs again from scratch, to put a job back to the state it was in immediately after creation – equivalent to deleting it and recreating it, but without the need to remember the configuration. It also simplifies support, as users will be able to reset their job by a single click.
match_only_text field typeedit
match_only_text is a new
space-optimized variant of
text that disables scoring and performs slower
on queries that need positions. It is best suited for indexing log messages.
More memory-efficient composite aggregationsedit
New migrate to data tiers routing APIedit
7.14 introduces the migrate to data tiers routing API. You can use the API to switch indices and ILM policies that use attribute-based allocation filters to data tiers using node roles. This lets ILM automatically move data stream indices between tiers during phase transitions. Data tiers also give you access to additional ILM features, such as partially mounted indices and the frozen tier.
New terms enum APIedit
The new terms enum API lets you discover index terms that match a partial string. You can use the API for search auto-completion.
Automatic database updates for the GeoIP processoredit
The GeoIP processor uses Maxmind GeoLite2 databases to provide data about the geographical location of IP addresses. This data changes frequently as IP addresses get reused. In 7.14, we introduced a service that automatically updates these databases so their information is as accurate as possible. The service is enabled by default, but its operation can be adjusted. See GeoIP processor