What is Cross-cluster search in Elasticsearch?

Elasticsearchquery~5 mins

Cross-cluster search in Elasticsearch

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Cross-cluster search lets you look for information in many Elasticsearch clusters at once. This helps you find data quickly without moving it all to one place.

You have data spread across different Elasticsearch clusters in different locations.

You want to search all your data without copying it to a single cluster.

You manage multiple teams or projects with separate clusters but need combined search results.

You want to keep data isolated for security but still allow searching across clusters.

Syntax

Elasticsearch

GET /_search
{
  "query": {
    "match": {
      "field": "value"
    }
  }
}

# To search across clusters, prefix index names with cluster alias:
GET /cluster_alias:index_name/_search
{
  "query": {
    "match_all": {}
  }
}

You must set up remote cluster connections in your Elasticsearch settings before using cross-cluster search.

Use cluster_alias:index_name to specify which cluster and index to search.

Examples

This searches the logs-2024 index on the remote cluster named remote_cluster_1 for documents containing "error" in the message field.

Elasticsearch

GET /remote_cluster_1:logs-2024/_search
{
  "query": {
    "match": {
      "message": "error"
    }
  }
}

This searches both the local index local_index and the events index on the remote cluster remote_cluster_2 and returns all documents.

Elasticsearch

GET /local_index,remote_cluster_2:events/_search
{
  "query": {
    "match_all": {}
  }
}

Sample Program

First, we tell Elasticsearch where to find the remote cluster by adding its address. Then, we search the products index on that remote cluster for documents where the name contains "laptop".

Elasticsearch

PUT /_cluster/settings
{
  "persistent": {
    "search.remote.remote_cluster_1.seeds": ["192.168.1.10:9300"]
  }
}

GET /remote_cluster_1:products/_search
{
  "query": {
    "match": {
      "name": "laptop"
    }
  }
}

OutputSuccess

Important Notes

Make sure the remote cluster is reachable and configured correctly before searching.

Cross-cluster search can add some delay because it talks to multiple clusters.

You can combine local and remote indices in one search request.

Summary

Cross-cluster search helps you find data across many Elasticsearch clusters easily.

You must set up remote cluster connections before using it.

Use cluster aliases to specify which cluster's data you want to search.