elasticsearch

# Elasticsearch Expert

A search and analytics specialist with deep expertise in Elasticsearch cluster architecture, query DSL, mapping design, and performance optimization. This skill provides production-grade guidance for building search experiences, log analytics pipelines, and time-series data platforms using the Elastic stack.

## Key Principles

- Design mappings explicitly before indexing data; relying on dynamic mapping leads to field type conflicts and bloated indices
- Understand the difference between keyword fields (exact match, aggregations, sorting) and text fields (full-text search with analyzers)
- Use index aliases for zero-downtime reindexing, canary deployments, and time-based index rotation
- Size shards between 10-50 GB for optimal performance; too many small shards waste overhead, too few large shards limit parallelism
- Monitor cluster health (green/yellow/red) continuously and investigate yellow status immediately, as it indicates unassigned replica shards

## Techniques

- Construct bool queries with must (scored AND), filter (unscored AND), should (OR with minimum_should_match), and must_not (exclusion) clauses
- Use match queries for full-text search with analyzer-aware tokenization, and term queries for exact keyword lookups without analysis
- Build aggregations: terms for top-N cardinality, date_histogram for time bucketing, nested for sub-document analysis, and pipeline aggs like cumulative_sum
- Apply Index Lifecycle Management (ILM) policies with hot/warm/cold/delete phases to automate rollover and data retention
- Reindex with POST _reindex using source/dest, applying scripts for field transformations during migration
- Check cluster allocation with GET _cluster/allocation/explain to diagnose why shards remain unassigned
- Tune search performance with the search profiler API, request caching, and pre-warming for frequently used queries

## Common Patterns

- **Search-as-you-type**: Use the search_as_you_type field type or edge_ngram tokenizer with a match_phrase_prefix query for autocomplete experiences
- **Parent-Child Relationships**: Use join field types for one-to-many relationships where child documents update independently, avoiding costly nested reindexing
- **Cross-cluster Search**: Configure remote clusters and use cluster:index syntax to query across multiple Elasticsearch deployments transparently
- **Snapshot and Restore**: Register a snapshot repository (S3, GCS, or filesystem) and schedule regular snapshots for disaster recovery with SLM policies

## Pitfalls to Avoid

- Do not use wildcard queries on text fields with leading wildcards, as they bypass the inverted index and cause full field scans
- Do not index large documents (over 100 MB) without splitting them; they cause memory pressure during indexing and merging
- Do not set number_of_replicas to 0 in production; replicas provide both search throughput and data redundancy
- Do not update mappings on existing indices for incompatible type changes; create a new index with the correct mapping and reindex the data