Bird
Raised Fist0
Elasticsearchquery~5 mins

Hot-warm-cold architecture in Elasticsearch

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

This architecture helps manage data efficiently by storing recent data on fast machines and older data on slower, cheaper machines.

You want to keep recent logs quickly accessible for analysis.
You need to save storage costs by moving old data to cheaper hardware.
You want to improve search speed for recent data while still keeping older data available.
You have large amounts of time-series data like logs or metrics.
You want to automate data lifecycle management in Elasticsearch.
Syntax
Elasticsearch
PUT /_ilm/policy/hot-warm-cold-policy
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_size": "50gb",
            "max_age": "30d"
          },
          "set_priority": { "priority": 100 }
        }
      },
      "warm": {
        "min_age": "30d",
        "actions": {
          "allocate": {
            "require": { "data": "warm" }
          },
          "set_priority": { "priority": 50 }
        }
      },
      "cold": {
        "min_age": "90d",
        "actions": {
          "allocate": {
            "require": { "data": "cold" }
          },
          "set_priority": { "priority": 0 },
          "freeze": {}
        }
      }
    }
  }
}

The policy defines phases: hot, warm, and cold with actions for each.

Use allocate to move data to nodes with matching attributes.

Examples
This example shows a simple hot-warm policy with rollover after 7 days and moving data to warm nodes after 7 days.
Elasticsearch
PUT /_ilm/policy/simple-hot-warm
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": { "max_age": "7d" },
          "set_priority": { "priority": 100 }
        }
      },
      "warm": {
        "min_age": "7d",
        "actions": {
          "allocate": { "require": { "data": "warm" } },
          "set_priority": { "priority": 50 }
        }
      }
    }
  }
}
This template applies the hot-warm-cold policy to indices matching 'logs-*' and sets rollover alias.
Elasticsearch
PUT /_template/logs_template
{
  "index_patterns": ["logs-*"],
  "settings": {
    "index.lifecycle.name": "hot-warm-cold-policy",
    "index.lifecycle.rollover_alias": "logs-alias"
  }
}
Sample Program

This program creates a hot-warm-cold lifecycle policy, sets an index template to use it, and creates the first index with a rollover alias.

Elasticsearch
PUT /_ilm/policy/hot-warm-cold-policy
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_size": "50gb",
            "max_age": "30d"
          },
          "set_priority": { "priority": 100 }
        }
      },
      "warm": {
        "min_age": "30d",
        "actions": {
          "allocate": {
            "require": { "data": "warm" }
          },
          "set_priority": { "priority": 50 }
        }
      },
      "cold": {
        "min_age": "90d",
        "actions": {
          "allocate": {
            "require": { "data": "cold" }
          },
          "set_priority": { "priority": 0 },
          "freeze": {}
        }
      }
    }
  }
}

PUT /_template/logs_template
{
  "index_patterns": ["logs-*"],
  "settings": {
    "index.lifecycle.name": "hot-warm-cold-policy",
    "index.lifecycle.rollover_alias": "logs-alias"
  }
}

PUT /logs-000001
{
  "aliases": {
    "logs-alias": {
      "is_write_index": true
    }
  }
}
OutputSuccess
Important Notes

Make sure your Elasticsearch nodes have attributes like node.attr.data: warm or cold to allocate data properly.

Rollover helps create new indices automatically when size or age limits are reached.

Freezing cold indices reduces resource use but makes searches slower.

Summary

Hot-warm-cold architecture stores recent data on fast nodes and older data on slower, cheaper nodes.

Use index lifecycle management (ILM) policies to automate data movement between phases.

Rollover and allocation actions help manage data size and location efficiently.

Practice

(1/5)
1. What is the main purpose of the hot-warm-cold architecture in Elasticsearch?
easy
A. To encrypt data at rest and in transit
B. To store recent data on fast nodes and older data on slower, cheaper nodes
C. To backup data to external storage automatically
D. To replicate data across multiple clusters for high availability

Solution

  1. Step 1: Understand the architecture purpose

    The hot-warm-cold architecture is designed to optimize storage costs and performance by placing recent data on fast nodes and older data on slower, cheaper nodes.

  2. Step 2: Match the purpose to options

    To store recent data on fast nodes and older data on slower, cheaper nodes correctly describes this purpose, while other options describe different Elasticsearch features.

  3. Final Answer:

    To store recent data on fast nodes and older data on slower, cheaper nodes -> Option B

  4. Quick Check:

    Hot-warm-cold architecture = store data by age and speed [OK]
Hint: Remember: hot = fast recent, cold = slow old data [OK]
Common Mistakes:
  • Confusing hot-warm-cold with backup or replication
  • Thinking it encrypts data automatically
  • Assuming it manages cluster replication
2. Which Elasticsearch feature is used to automate moving data between hot, warm, and cold phases?
easy
A. Snapshot and Restore
B. Document Level Security
C. Index Lifecycle Management (ILM)
D. Cross-cluster Search

Solution

  1. Step 1: Identify automation for data phase movement

    Index Lifecycle Management (ILM) automates moving indices through hot, warm, and cold phases based on policies.

  2. Step 2: Compare other features

    Snapshot and Restore handles backups, Cross-cluster Search queries multiple clusters, and Document Level Security controls access, so they don't automate data movement.

  3. Final Answer:

    Index Lifecycle Management (ILM) -> Option C

  4. Quick Check:

    ILM automates data phase transitions [OK]
Hint: ILM = automates index phase changes [OK]
Common Mistakes:
  • Choosing Snapshot instead of ILM
  • Confusing security features with lifecycle management
  • Thinking cross-cluster search manages data phases
3. Given this ILM policy snippet, what phase will the index move to after 30 days? 
{
  "phases": {
    "hot": {"min_age": "0d"},
    "warm": {"min_age": "7d"},
    "cold": {"min_age": "30d"}
  }
}
medium
A. Cold phase
B. Warm phase
C. Hot phase
D. Delete phase

Solution

  1. Step 1: Analyze min_age values for phases

    The policy defines hot from 0 days, warm from 7 days, and cold from 30 days.

  2. Step 2: Determine phase after 30 days

    After 30 days, the index reaches the cold phase because its min_age is 30 days, which is the threshold for cold.

  3. Final Answer:

    Cold phase -> Option A

  4. Quick Check:

    30 days = cold phase start [OK]
Hint: Check min_age values to find current phase [OK]
Common Mistakes:
  • Choosing warm phase after 30 days
  • Confusing delete phase with cold phase
  • Ignoring min_age thresholds
4. You wrote this ILM policy but your index never moves to the warm phase: 
{
  "phases": {
    "hot": {"min_age": "0d"},
    "warm": {"min_age": "10d"}
  }
}
What is the likely problem?
medium
A. The index size is too small to trigger rollover
B. The warm phase min_age is too low
C. The warm phase is missing an allocation action
D. The policy lacks a cold phase

Solution

  1. Step 1: Understand ILM phase transition requirements

    For an index to move from hot to warm, rollover conditions like size or age must be met.

  2. Step 2: Identify missing trigger

    If the index size is too small, rollover won't happen, so the index stays in hot phase and never moves to warm.

  3. Final Answer:

    The index size is too small to trigger rollover -> Option A

  4. Quick Check:

    Small index size blocks rollover and phase move [OK]
Hint: Check rollover conditions to enable phase change [OK]
Common Mistakes:
  • Assuming missing allocation causes no move
  • Thinking warm phase min_age is too low
  • Believing cold phase is required to move to warm
5. You want to optimize storage costs by moving indices older than 60 days to cold nodes and delete indices older than 90 days. Which ILM policy snippet correctly implements this?
hard
A. { "phases": { "hot": {"min_age": "0d"}, "warm": {"min_age": "30d"}, "cold": {"min_age": "90d"}, "delete": {"min_age": "90d"} } }
B. { "phases": { "hot": {"min_age": "0d"}, "warm": {"min_age": "30d"}, "delete": {"min_age": "60d"} } }
C. { "phases": { "hot": {"min_age": "0d"}, "warm": {"min_age": "60d"}, "cold": {"min_age": "90d"}, "delete": {"min_age": "120d"} } }
D. { "phases": { "hot": {"min_age": "0d"}, "cold": {"min_age": "60d"}, "delete": {"min_age": "90d"} } }

Solution

  1. Step 1: Identify required phase ages

    Indices older than 60 days should move to cold, and older than 90 days should be deleted.

  2. Step 2: Match policy phases to requirements

    { "phases": { "hot": {"min_age": "0d"}, "cold": {"min_age": "60d"}, "delete": {"min_age": "90d"} } } has hot at 0d, cold at 60d, and delete at 90d, matching the requirements exactly.

  3. Final Answer:

    { "phases": { "hot": {"min_age": "0d"}, "cold": {"min_age": "60d"}, "delete": {"min_age": "90d"} } } -> Option D

  4. Quick Check:

    60d cold and 90d delete phases match [OK]
Hint: Match min_age exactly to your data lifecycle needs [OK]
Common Mistakes:
  • Adding unnecessary warm phase with wrong min_age
  • Setting delete phase too early
  • Skipping cold phase before delete