Elasticsearch indices keep some data structures in memory to allow you to search them efficiently and to index into them. If you have a lot of indices then the memory required for these data structures can add up to a significant amount. For indices that are searched frequently it is better to keep these structures in memory because it takes time to rebuild them. However, you might access some of your indices so rarely that you would prefer to release the corresponding memory and rebuild these data structures on each search.
For example, if you are using time-based indices to store log messages or time series data then it is likely that older indices are searched much less often than the more recent ones. Older indices also receive no indexing requests. Furthermore, it is usually the case that searches of older indices are for performing longer-term analyses for which a slower response is acceptable.
If you have such indices then they are good candidates for becoming frozen indices. Elasticsearch builds the transient data structures of each shard of a frozen index each time that shard is searched, and discards these data structures as soon as the search is complete. Because Elasticsearch does not maintain these transient data structures in memory, frozen indices consume much less heap than normal indices. This allows for a much higher disk-to-heap ratio than would otherwise be possible.
You can freeze the index using the Freeze Index API.
Searches performed on frozen indices use the small, dedicated,
search_throttled threadpool to control the number of
concurrent searches that hit frozen shards on each node. This limits the amount
of extra memory required for the transient data structures corresponding to
frozen shards, which consequently protects nodes against excessive memory
Frozen indices are read-only: you cannot index into them.
Searches on frozen indices are expected to execute slowly. Frozen indices are not intended for high search load. It is possible that a search of a frozen index may take seconds or minutes to complete, even if the same searches completed in milliseconds when the indices were not frozen.
To make a frozen index writable again, use the Unfreeze Index API.
Intro to Kibana
ELK for Logs & Metrics