Elasticsearch highlights

edit

This list summarizes the most important enhancements in Elasticsearch 7.14. For the complete list, go to Elasticsearch release highlights.

Cross-cluster EQL search

edit

In 7.14, we added cross-cluster search support to EQL. Cross-cluster search lets you run an EQL search across one or more remote clusters. See Run an EQL search across clusters.

Async SQL search

edit

We’ve added support for async searches to Elasticsearch SQL. Searches across large data sets or frozen data can take longer to return synchronous results. Async SQL search lets you run these searches in the background instead. See Run an async SQL search.

Transforms: support for top metrics

edit

Transforms are now able to support the top metrics aggregation. This improves performance when grouping by many fields. If these fields are descriptive and have the same cardinality (for example, customer first and last name describe their customer_id), then using top metrics significantly reduces the work needed to be done by aggregations. It is also a usability improvement if configuring top or last value, which previously would have required a scripted metric.

Anomaly detection: reset job API

edit

The reset job API makes it easier to start anomaly detection jobs again from scratch, to put a job back to the state it was in immediately after creation – equivalent to deleting it and recreating it, but without the need to remember the configuration. It also simplifies support, as users will be able to reset their job by a single click.

New match_only_text field type

edit

match_only_text is a new space-optimized variant of text that disables scoring and performs slower on queries that need positions. It is best suited for indexing log messages.

More memory-efficient composite aggregations

edit

Composite aggregations on keyword fields no longer use global ordinals, which for high cardinality fields could use a lot of heap memory as part of the field data cache.

New migrate to data tiers routing API

edit

7.14 introduces the migrate to data tiers routing API. You can use the API to switch indices and ILM policies that use attribute-based allocation filters to data tiers using node roles. This lets ILM automatically move data stream indices between tiers during phase transitions. Data tiers also give you access to additional ILM features, such as partially mounted indices and the frozen tier.

New terms enum API

edit

The new terms enum API lets you discover index terms that match a partial string. You can use the API for search auto-completion.

Automatic database updates for the GeoIP processor

edit

The GeoIP processor uses Maxmind GeoLite2 databases to provide data about the geographical location of IP addresses. This data changes frequently as IP addresses get reused. In 7.14, we introduced a service that automatically updates these databases so their information is as accurate as possible. The service is enabled by default, but its operation can be adjusted. See GeoIP processor