A data tier is a collection of nodes with the same data role that typically share the same hardware profile:
- Content tier nodes handle the indexing and query load for content such as a product catalog.
- Hot tier nodes handle the indexing load for time series data such as logs or metrics and hold your most recent, most-frequently-accessed data.
- Warm tier nodes hold time series data that is accessed less-frequently and rarely needs to be updated.
- Cold tier nodes hold time series data that is accessed infrequently and not normally updated. To save space, you can keep fully mounted indices of searchable snapshots on the cold tier. These fully mounted indices eliminate the need for replicas, reducing required disk space by approximately 50% compared to the regular indices.
- Frozen tier nodes hold time series data that is accessed rarely and never updated. The frozen tier stores partially mounted indices of searchable snapshots exclusively. This extends the storage capacity even further — by up to 20 times compared to the warm tier.
When you index documents directly to a specific index, they remain on content tier nodes indefinitely.
When you index documents to a data stream, they initially reside on hot tier nodes. You can configure index lifecycle management (ILM) policies to automatically transition your time series data through the hot, warm, and cold tiers according to your performance, resiliency and data retention requirements.
A node’s data role is configured in
For example, the highest-performance nodes in a cluster might be assigned to both the hot and content tiers:
node.roles: ["data_hot", "data_content"]
Data stored in the content tier is generally a collection of items such as a product catalog or article archive. Unlike time series data, the value of the content remains relatively constant over time, so it doesn’t make sense to move it to a tier with different performance characteristics as it ages. Content data typically has long data retention requirements, and you want to be able to retrieve items quickly regardless of how old they are.
Content tier nodes are usually optimized for query performance—they prioritize processing power over IO throughput so they can process complex searches and aggregations and return results quickly. While they are also responsible for indexing, content data is generally not ingested at as high a rate as time series data such as logs and metrics. From a resiliency perspective the indices in this tier should be configured to use one or more replicas.
The content tier is required. System indices and other indices that aren’t part of a data stream are automatically allocated to the content tier.
The hot tier is the Elasticsearch entry point for time series data and holds your most-recent, most-frequently-searched time series data. Nodes in the hot tier need to be fast for both reads and writes, which requires more hardware resources and faster storage (SSDs). For resiliency, indices in the hot tier should be configured to use one or more replicas.
The hot tier is required. New indices that are part of a data stream are automatically allocated to the hot tier.
Time series data can move to the warm tier once it is being queried less frequently than the recently-indexed data in the hot tier. The warm tier typically holds data from recent weeks. Updates are still allowed, but likely infrequent. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. For resiliency, indices in the warm tier should be configured to use one or more replicas.
When you no longer need to search time series data regularly, it can move from the warm tier to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed.
For better storage savings, you can keep fully mounted indices of searchable snapshots on the cold tier. Unlike regular indices, these fully mounted indices don’t require replicas for reliability. In the event of a failure, they can recover data from the underlying snapshot instead. This potentially halves the local storage needed for the data. A snapshot repository is required to use fully mounted indices in the cold tier. Fully mounted indices are read-only.
Alternatively, you can use the cold tier to store regular indices with replicas instead of using searchable snapshots. This lets you store older data on less expensive hardware but doesn’t reduce required disk space compared to the warm tier.
Once data is no longer being queried, or being queried rarely, it may move from the cold tier to the frozen tier where it stays for the rest of its life.
The frozen tier requires a snapshot repository. The frozen tier uses partially mounted indices to store and load data from a snapshot repository. This reduces local storage and operating costs while still letting you search frozen data. Because Elasticsearch must sometimes fetch frozen data from the snapshot repository, searches on the frozen tier are typically slower than on the cold tier.
We recommend you use dedicated nodes in the frozen tier.
Data tier index allocationedit
When you create an index, by default Elasticsearch sets
data_content to automatically allocate the index shards to the content tier.
When Elasticsearch creates an index as part of a data stream,
by default Elasticsearch sets
data_hot to automatically allocate the index shards to the hot tier.
You can override the automatic tier-based allocation by specifying shard allocation filtering settings in the create index request or index template that matches the new index.
You can also explicitly set
to opt out of the default tier-based allocation.
If you set the tier preference to
null, Elasticsearch ignores the data tier roles during allocation.
Automatic data tier migrationedit
ILM automatically transitions managed indices through the available data tiers using the migrate action. By default, this action is automatically injected in every phase. You can explicitly specify the migrate action to override the default behavior, or use the allocate action to manually specify allocation rules.
Intro to Kibana
ELK for Logs & Metrics