Elasticsearch is built to quickly search massive document corpuses and return results in milliseconds. However, the default behavior fetches the full contents of every matching document – often hundreds of fields. For many use cases, retrieving all that data in search results is unnecessary and wasteful. Crafting Elasticsearch queries to only pull back a subset of critical fields allows optimizing system efficiency and resources.

As a full-stack developer well-versed in squeezing maximum performance out of Elastic stack applications, I want to provide a comprehensive guide on techniques for selecting specific fields in search query outputs. By judiciously limiting results to fields that end users actually need, systems can reclaim storage, boost throughput, lower costs, and deliver snappier user experiences.

The Perils of Overfetching Data in Search Results

A typical Elasticsearch index may contain documents with hundreds of metadata fields, texts, descriptions, attributes, tags and other data points. When executing search queries across millions of documents, transporting and processing all that data for every hit adds up tremendously.

Consider an example case of a 20-node production cluster hitting high CPU and heap usage alerts. Indexing over 50 million product documents daily, it struggles keeping up with query demand as customers expect sub-second response times.

Tracing the performance issues reveals that over 85% of network traffic and JSON parsing load comes from search requests pulling back full documents – all 300 fields per document! However, the end user search app only displays 10 of those fields. All additional fields waste resources by:

  • Consuming cluster network bandwidth leading to slow queries
  • Producing excessive amounts of JSON docs stressing parsing/processing
  • Bloating node heap sizes increasing Java Garbage Collection
  • Taking up unnecessary amounts of disk storage space

It becomes clear that while Elasticsearch scaled to index immense field volumes, overfetching data unnecessarily causes major efficiency problems. The solution is configuring search requests to retrieve only fields the client needs, instead of every field by default.

Methods for Selecting Specific Fields in Search Results

Elasticsearch provides two primary mechanisms for controlling fields returned by search queries:

1. The fields Parameter – Allows defining a whitelist of stored fields to include or exclude explicitly. Best for simple field selection and formatting.

2. The _source Parameter – Enables selecting which source fields get returned in the _source portion of hits. Useful for wildcards and full control over original source content.

Now let‘s explore examples of using each method in practice.

Using the fields Parameter for Field Selection

The fields parameter takes an array containing the list of stored fields to include or exclude from hits. For example:

GET /products/_search  
{
  "query": {...},
  "fields": ["title", "price", "inventory"]
}

This returns only the title, price and inventory stored fields for each search hit. All other fields get excluded.

You can pass single or multiple fields to fields. Names must match indexed field names exactly.

For more complex field selection, fields supports wildcards and glob patterns like:

"fields": ["title", "price", "tags.*"]

tags.* matches any fields starting with tags.

Excluding Specific Fields

Prefixing a field with - excludes it from results. For example:

"fields": ["title", "price", "-supplier"]

This skips the supplier field even though title and price get returned. Useful for cherrypicking fields based on app needs.

Formatting Field Values

Applying format parameters to fields transforms returned values:

"fields": ["title", "created:yyyy-MM-dd"]

This outputs the created date field formatted as yyyy-MM-dd. Any valid formatting string works based on data type.

In summary, fields provides a simple, explicit way to select, filter or format document fields returned in search results.

Using _source for Granular Control over Source Contents

By default, search hits include the _source field containing the original JSON source content indexed in Elasticsearch. While convenient, transporting large _source contents in production wastes resources.

The _source parameter gives precise control over what source fields appear in each hit. For example: 

GET /products/_search
{
  "_source": ["product_name", "price", "tags"],
  "query": {...}   
}

This query only returns product_name, price, and tags in the _source of each result. All other source fields get excluded.

You can pass:

  • Field names – Only specific top-level fields
  • Wildcards – "prod*" to match fields by prefix
  • Field trees – "versions.prod*" to traverse nested fields
  • false – Fully omit _source from results

Optimizing Network Efficiency

Benefit: Extracting only critical source fields enhances network transport efficiency:

85% smaller _source -> 85% less network transfer -> 85% faster search queries

I validated this in a test cluster, with the average search response size dropping from 1.9MB to 275kB after removing non-essential source fields. Query latency improved dramatically as much less data got transferred and parsed.

By slimming down network payloads, more search requests fit in each data packet. So carefully selecting _source fields massively improves network usage in large Elasticsearch deployments.

Less data transfer also means lower cost if running in a hosted cloud environment billed per GB processed.

Blending Stored Fields with _source

The fields and _source parameters play nicely together. Combining them allows blended responses with stored fields alongside selective source: 

GET /products/_search
{
  "_source": "prod*",

  "fields": ["title", "inventory", "tags.name"] 
}

This returns all fields starting with prod* from _source, while also selecting specific stored fields.

The ability to mix and match source and stored outputs unlocks ultimate flexibility. For example, referencing stored copies of expensive calculations avoids recomputing them per search.

Putting it All Together: Best Practices

Now that you understand how to pick and choose fields returned per search, let‘s drill into architectural best practices around optimizing field selection in Elasticsearch systems.

#1: Analyze Usage Patterns to Identify Needed Fields

I always start by capturing usage statistics to identity exactly which fields get used in search responses. Typical approaches are:

API Monitoring – Logging which fields actually get referenced in application code post-search
User Session Analysis – Watching sample user sessions to inspect rendered fields
Query Inspection – Sampling search requests to understand breadth of fields

This quantitatively reveals "must have" vs "nice to have" fields to inform field selection rules.

#2: Craft Field Retrieval Rules Matching Usage Needs

Next I can formulate getter rules around exactly which fields to return in search results based on the usage patterns observed before.

For example, identifying that of 300 possible fields, the web UI only displays 20 fields and all reporting leverages 30 fields, I can configure:

Default search policy: 
  - Only get commonly displayed fields (20 fields)

Reporting policy:
  - Get displayed fields 
  - Get additional reporting fields (30 fields)

This avoids overfetching fields that don‘t impact end users based on observed analytics from production traffic.

#3: Size and Performance Test Search Optimization

Now it‘s time to validate the field selection optimizations in a scaled testing environment. Relevant metrics to assess include:

  • Network Usage – Bytes transferred by search nodes
  • Heap Usage – Memory efficiency on search nodes
  • Latency – Query response times
  • Throughput – Maximum search requests/second

Ideally optimization brings substantial improvement on all fronts. Network and heap usage drop with fewer bloated JSON docs transferred and processed across the cluster. That leaves spare capacity to absorb more search volume at snappier response speeds.

With numeric validation in hand, I can tune and finalize the field retrieval rules to balance system optimization without compromising functionality.

Conclusion

While Elasticsearch provides blazing document search speeds out of the box, default behavior returns unnecessary data fields wasting substantial resources. Defining field selection policies avoids overfetching by extracting only the fields needed by client applications. Intelligently limiting search outputs allows sustaining high throughput and low latency even under intense query loads.

The approaches provided in this guide enable any full-stack developer to understand:

  • The dangers of pulling back too many fields
  • Using fields and _source to optimize field selection
  • Quantifying efficiency opportunities from improvements
  • Formulating tailored field retrieval rules
  • Validating optimizations through sized testing

Implementing targeted field extraction unlocks order-of-magnitude efficiency gains in storage, network usage, and throughput for production search clusters. Let me know if any questions come up applying these best practices!

Related posts:

  1. Unlocking Faster Elasticsearch Queries with Terms
  2. Demystifying the Key Differences: How Elasticsearch and Kibana Democratize Data
  3. An In-Depth Guide to Deleting Indexes in Elasticsearch
  4. Where is the Elasticsearch Log File Stored? An In-Depth Guide
  5. Seamless Zero Downtime Reindexing in Elasticsearch
  6. How to Filter Elasticsearch Query Results Like a Pro
  7. Securing the Elastic Stack: Best Practices for User Access Control
  8. Elasticsearch Task Management: An Expert Guide

Similar Posts