Glossaryedit

analysis
Process of converting unstructured text into a format optimized for search. See Text analysis.
API key
Unique identifier for authentication in Elasticsearch. When transport layer security (TLS) is enabled, all requests must be authenticated using an API key or a username and password. See the Create API key API.
auto-follow pattern
Index pattern that automatically configures new indices as follower indices for cross-cluster replication. See Manage auto-follow patterns.
cluster
A group of one or more connected Elasticsearch nodes. See Clusters, nodes, and shards.
cold phase
Third possible phase in the index lifecycle. In the cold phase, data is no longer updated and seldom queried. The data still needs to be searchable, but it’s okay if those queries are slower. See Index lifecycle.
cold tier
Data tier that contains nodes that hold time series data that is accessed occasionally and not normally updated. See Data tiers.
component template
Building block for creating index templates. A component template can specify mappings, index settings, and index aliases. See index templates.
content tier
Data tier that contains nodes that handle the indexing and query load for content, such as a product catalog. See Data tiers.
cross-cluster replication (CCR)
Replicates data streams and indices from remote clusters in a local cluster. See Cross-cluster replication.
cross-cluster search (CCS)
Searches data streams and indices on remote clusters from a local cluster. See Search across clusters.
data stream
Named resource used to manage time series data. A data stream stores data across multiple backing indices. See Data streams.
data tier
Collection of nodes with the same data role that typically share the same hardware profile. Data tiers include the content tier, hot tier, warm tier, cold tier, and frozen tier. See Data tiers.
delete phase
Last possible phase in the index lifecycle. In the delete phase, an index is no longer needed and can safely be deleted. See Index lifecycle.
document
JSON object containing data stored in Elasticsearch. See Documents and indices.
Event Query Language (EQL)
Query language for event-based time series data, such as logs, metrics, and traces. EQL supports matching for event sequences. See EQL.
field
Key-value pair in a document. See Mapping.
filter
Query that does not score matching documents. See filter context.
flush
Writes data from the transaction log to disk for permanent storage. See the flush API.
follower index
Target index for cross-cluster replication. A follower index exists in a local cluster and replicates a leader index. See Cross-cluster replication.
force merge
Manually triggers a merge to reduce the number of segments in an index’s shards. See the force merge API.
frozen phase
Fourth possible phase in the index lifecycle. In the frozen phase, an index is no longer updated and queried rarely. The information still needs to be searchable, but it’s okay if those queries are extremely slow. See Index lifecycle.
frozen tier
Data tier that contains nodes that hold time series data that is accessed rarely and not normally updated. See Data tiers.
hidden data stream or index
Data stream or index excluded from most index patterns by default. See Hidden data streams and indices.
hot phase
First possible phase in the index lifecycle. In the hot phase, an index is actively updated and queried. See Index lifecycle.
hot tier
Data tier that contains nodes that handle the indexing load for time series data, such as logs or metrics. This tier holds your most recent, most frequently accessed data. See Data tiers.
ID
Identifier for a document. Document IDs must be unique within an index. See the _id field.
index
  1. Collection of JSON documents. See Documents and indices.
  2. To add one or more JSON documents to Elasticsearch. This process is called indexing.
index alias
Secondary name for one or more indices. Most Elasticsearch APIs accept an index alias in place of an index name. See the Create or update index alias API.
index lifecycle
Five phases an index can transition through: hot, warm, cold, frozen, and delete. See Index lifecycle.
index lifecycle policy
Specifies how an index moves between phases in the index lifecycle and what actions to perform during each phase. See Index lifecycle.
index pattern
String containing a wildcard (*) pattern that can match multiple data streams, indices, or index aliases. See Multi-target syntax.
index template
Automatically configures the mappings, index settings, and aliases of new indices that match its index pattern. You can also use index templates to create data streams. See Index templates.
leader index
Source index for cross-cluster replication. A leader index exists on a remote cluster and is replicated to follower indices. See Cross-cluster replication.
local cluster
Cluster that pulls data from a remote cluster in cross-cluster search or cross-cluster replication. See Remote clusters.
mapping
Defines how a document, its fields, and its metadata are stored in Elasticsearch. Similar to a schema definition. See Mapping.
merge
Process of combining a shard's smaller Lucene segments into a larger one. Elasticsearch manages merges automatically.
node
A single Elasticsearch server. One or more nodes can form a cluster. See Clusters, nodes, and shards.
primary shard
Lucene instance containing some or all data for an index. When you index a document, Elasticsearch adds the document to primary shards before replica shards. See Clusters, nodes, and shards.
query
Request for information about your data. You can think of a query as a question, written in a way Elasticsearch understands. See Search your data.
recovery
Process of syncing a replica shard from a primary shard. Upon completion, the replica shard is available for searches. See the index recovery API.
reindex
Copies documents from a source to a destination. The source and destination can be a data stream, index, or index alias. See the Reindex API.
remote cluster
A separate cluster, often in a different data center or locale, that contains indices that can be replicated or searched by the local cluster. The connection to a remote cluster is unidirectional. See Remote clusters.
replica shard
Copy of a primary shard. Replica shards can improve search performance and resiliency by distributing data across multiple nodes. See Clusters, nodes, and shards.
rollover
Creates a new write index when the current one reaches a certain size, number of docs, or age. A rollover can target a data stream or an index alias with a write index.
rollup
Summarizes high-granularity data into a more compressed format to maintain access to historical data in a cost-effective way. See Roll up your data.
rollup index
Special type of index for storing historical data at reduced granularity. Documents are summarized and indexed into a rollup index by a rollup job. See Rolling up historical data.
rollup job
Background task that runs continuously to summarize documents in an index and index the summaries into a separate rollup index. The job configuration controls what data is rolled up and how often. See Rolling up historical data.
routing
Process of sending and retrieving data from a specific primary shard. Elasticsearch uses a hashed routing value to choose this shard. You can provide a routing value in indexing and search requests to take advantage of caching. See the _routing field.
runtime field
Field that is evaluated at query time. You access runtime fields from the search API like any other field, and Elasticsearch sees runtime fields no differently. See Runtime fields.
searchable snapshot
Snapshot of an index mounted as a searchable snapshot index. You can search this index like a regular index. See searchable snapshots.
searchable snapshot index
Index whose data is stored in a snapshot. Searchable snapshot indices do not need replica shards for resilience, since their data is reliably stored outside the cluster. See searchable snapshots.
segment
Data file in a shard's Lucene instance. Elasticsearch manages Lucene segments automatically.
shard
Lucene instance containing some or all data for an index. Elasticsearch automatically creates and manages these Lucene instances. There are two types of shards: primary and replica. See Clusters, nodes, and shards.
shrink
Reduces the number of primary shards in an index. See the shrink index API.
snapshot
Backup taken of a running cluster. You can take snapshots of the entire cluster or only specific data streams and indices. See Snapshot and restore.
snapshot lifecycle policy
Specifies how frequently to perform automatic backups of a cluster and how long to retain the resulting snapshots. See Manage the snapshot lifecycle
snapshot repository
Location where snapshots are stored. A snapshot repository can be a shared filesystem or a remote repository, such as Azure or Google Cloud Storage. See Snapshot and restore.
source field
Original JSON object provided during indexing. See the _source field.
split
Adds more primary shards to an index. See the split index API.
system index
Index containing configurations and other data used internally by the Elastic Stack. System index names start with a dot (.), such as .security. Do not directly access or change system indices.
term
See token.
text
Unstructured content, such as a product description or log message. You typically analyze text for better search. See Text analysis.
token
A chunk of unstructured text that’s been optimized for search. In most cases, tokens are individual words. Tokens are also called terms. See Text analysis.
tokenization
Process of breaking unstructured text down into smaller, searchable chunks called tokens. See Tokenization.
warm phase
Second possible phase in the index lifecycle. In the warm phase, an index is generally optimized for search and no longer updated. See Index lifecycle.
warm tier
Data tier that contains nodes that hold time series data that is accessed less frequently and rarely needs to be updated. See Data tiers.