Elastic
10.4K posts
Elastic
@elastic
Where developers learn, build, and share. Your source for hands-on demos, cheat sheets, explainers and more.
Stop building dummy data to test Elasticsearch. Kibana ships three production-quality sample datasets. One click to install, dashboards included: - Sample eCommerce orders: customer transactions, product categories, revenue by region - Sample flight data: airline routes, ticket
00:00- Replying to @elasticWhen you want one language across logs, metrics, and traces, ES|QL's TS command is the direct equivalent. TS metrics-* | STATS SUM(RATE(http_requests_total, 5m)) BY job, TBUCKET(5m) RATE(metric, 5m) maps to PromQL's rate(metric[5m]). TS groups by time series first and handles
- 🧵 Your PromQL doesn't have to be rewritten to move to Elastic Observability. 9.4 added native Prometheus support. Ship metrics straight to ES, run your existing PromQL in Kibana. Same queries. Same dashboards. rate(http_requests_total{job="api"}[5m]) That runs in Kibana now.
- Learn how to cut Elasticsearch log storage by up to 76% with LogsDB: 1. Create a LogsDB index with "index.mode": "logsdb" 2. Reindex your logs into both a standard and LogsDB index 3. Force merge both indices with _forcemerge?max_num_segments=1 4. Measure the difference with the
- Replying to @elasticGood fit for the speculative query patterns LLM agents generate: fast, approximate, cheap. Won't approximate DISTINCT_COUNT, MIN, or MAX yet. No support for TS, JOIN, or FORK pipelines. Falls back to exact. Gist: go.es.io/4fbZdcH Blog: go.es.io/4nUElst
- 🧵 p95 latency tile in Kibana. 5 million events. Takes 296ms exact. Add one line to the ES|QL pipeline: SET approximation=true; Same query. 110ms. Every result comes with a confidence interval. Drop the interval (SET approximation={"confidence_level": null}) and it runs in
- Replying to @elasticTL;DR: - 4 approaches: search-as-you-type, query time, completion suggester, index time - match_bool_prefix is the underused middle ground for query time - Empty prefix queries can bring down a cluster — always set a minimum character threshold - Completion suggester is for
- Replying to @elasticThe core choice is index time vs query time cost. Index time approaches: fast queries, larger storage, more operational overhead. Query time approaches: slower queries, smaller storage, easier to iterate. Most performance issues in autocomplete trace back to this trade-off
