Bird
Raised Fist0
Elasticsearchquery~5 mins

Runtime fields in Elasticsearch

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Runtime fields let you create new fields on the fly when you search your data. You don't need to change your stored data.

You want to add a new field to your search results without reindexing your data.
You need to calculate a value from existing fields during a search.
You want to test a new field's logic before adding it permanently.
You want to simplify queries by creating easy-to-use fields.
You want to transform or combine fields dynamically at search time.
Syntax
Elasticsearch
{
  "runtime_mappings": {
    "field_name": {
      "type": "keyword|long|double|date|boolean|ip",
      "script": {
        "source": "emit(your_script_here)"
      }
    }
  }
}

The runtime_mappings section defines new fields for the search request.

The script uses painless language to calculate the field's value.

Examples
This creates a new full_name field by joining first and last names.
Elasticsearch
{
  "runtime_mappings": {
    "full_name": {
      "type": "keyword",
      "script": {
        "source": "emit(doc['first_name'].value + ' ' + doc['last_name'].value)"
      }
    }
  }
}
This creates a boolean field is_adult that is true if age is 18 or more.
Elasticsearch
{
  "runtime_mappings": {
    "is_adult": {
      "type": "boolean",
      "script": {
        "source": "emit(doc['age'].value >= 18)"
      }
    }
  }
}
This calculates a new field price_with_tax by adding 20% tax to the price.
Elasticsearch
{
  "runtime_mappings": {
    "price_with_tax": {
      "type": "double",
      "script": {
        "source": "emit(doc['price'].value * 1.2)"
      }
    }
  }
}
Sample Program

This search query returns all documents. It adds a runtime field full_name by joining first_name and last_name. The results show only full_name and age.

Elasticsearch
{
  "query": {
    "match_all": {}
  },
  "runtime_mappings": {
    "full_name": {
      "type": "keyword",
      "script": {
        "source": "emit(doc['first_name'].value + ' ' + doc['last_name'].value)"
      }
    }
  },
  "_source": ["full_name", "age"]
}
OutputSuccess
Important Notes

Runtime fields are calculated at search time, so they can slow down queries if complex.

They do not change your stored data or index mappings permanently.

Use runtime fields to experiment or add temporary fields without reindexing.

Summary

Runtime fields create new fields dynamically during search without changing stored data.

They use painless scripts to calculate values from existing fields.

Useful for quick calculations, testing, or adding fields without reindexing.

Practice

(1/5)
1. What is the main purpose of runtime fields in Elasticsearch?
easy
A. To backup the index data automatically
B. To create new fields dynamically during search without changing stored data
C. To delete existing fields from documents
D. To permanently add new fields to the index mapping

Solution

  1. Step 1: Understand runtime fields concept

    Runtime fields are used to add fields dynamically at query time without modifying the stored data.

  2. Step 2: Compare options with concept

    Only To create new fields dynamically during search without changing stored data describes creating fields dynamically during search without changing stored data.

  3. Final Answer:

    To create new fields dynamically during search without changing stored data -> Option B

  4. Quick Check:

    Runtime fields = dynamic fields at search time [OK]
Hint: Runtime fields add data on-the-fly, not stored permanently [OK]
Common Mistakes:
  • Confusing runtime fields with permanent mapping changes
  • Thinking runtime fields modify stored documents
  • Assuming runtime fields delete data
2. Which of the following is the correct syntax to define a runtime field named full_name that concatenates first_name and last_name using painless script?
easy
A. { "runtime_mappings": { "full_name": { "type": "keyword", "script": "return doc['first_name'] + ' ' + doc['last_name']" } } }
B. { "mappings": { "full_name": { "type": "text" } } }
C. { "runtime_fields": { "full_name": { "type": "keyword", "script": "emit(doc['first_name'].value + ' ' + doc['last_name'].value)" } } }
D. { "runtime_mappings": { "full_name": { "type": "keyword", "script": { "source": "emit(doc['first_name'].value + ' ' + doc['last_name'].value)" } } } }

Solution

  1. Step 1: Identify correct runtime field syntax

    Runtime fields are defined under runtime_mappings with a type and a script object containing source code.

  2. Step 2: Check script correctness

    { "runtime_mappings": { "full_name": { "type": "keyword", "script": { "source": "emit(doc['first_name'].value + ' ' + doc['last_name'].value)" } } } } uses emit() inside source string and accesses doc['field'].value correctly.

  3. Final Answer:

    { "runtime_mappings": { "full_name": { "type": "keyword", "script": { "source": "emit(doc['first_name'].value + ' ' + doc['last_name'].value)" } } } } -> Option D

  4. Quick Check:

    runtime_mappings + emit() + doc['field'].value = correct syntax [OK]
Hint: Use runtime_mappings with script source and emit() for runtime fields [OK]
Common Mistakes:
  • Using mappings instead of runtime_mappings
  • Missing emit() function in script
  • Incorrect script syntax without source object
3. Given this runtime field definition in a search query:
{
  "runtime_mappings": {
    "age_plus_ten": {
      "type": "long",
      "script": {
        "source": "emit(doc['age'].value + 10)"
      }
    }
  }
}

What will be the value of age_plus_ten for a document with age = 25?
medium
A. 35
B. 15
C. 25
D. Error: field not found

Solution

  1. Step 1: Understand the script logic

    The script emits the value of age field plus 10.

  2. Step 2: Calculate the result for age=25

    25 + 10 = 35.

  3. Final Answer:

    35 -> Option A

  4. Quick Check:

    age + 10 = 35 [OK]
Hint: Add 10 to age field value as scripted [OK]
Common Mistakes:
  • Confusing addition with subtraction
  • Assuming runtime fields modify stored data
  • Expecting syntax error instead of calculation
4. You wrote this runtime field script:
{
  "runtime_mappings": {
    "discounted_price": {
      "type": "double",
      "script": {
        "source": "emit(doc['price'].value * 0.9)"
      }
    }
  }
}

But the query fails with an error: Field [price] not found in doc. What is the likely cause?
medium
A. Runtime fields cannot use numeric types
B. The script syntax is incorrect
C. The price field is missing in some documents
D. The discounted_price field must be defined in mappings

Solution

  1. Step 1: Analyze error message

    Error says price field not found in document, meaning some docs lack this field.

  2. Step 2: Understand runtime field behavior

    Runtime scripts fail if they access missing fields without checks.

  3. Final Answer:

    The price field is missing in some documents -> Option C

  4. Quick Check:

    Missing field in doc causes runtime script error [OK]
Hint: Check if all docs have fields used in runtime scripts [OK]
Common Mistakes:
  • Assuming script syntax error without checking data
  • Thinking runtime fields require mapping changes
  • Ignoring missing field presence in documents
5. You want to create a runtime field status that returns "adult" if age ≥ 18, otherwise "minor". Which painless script correctly implements this logic?
hard
A. "emit(doc['age'].value >= 18 ? 'adult' : 'minor')"
B. "if (doc['age'].value >= 18) { return 'adult' } else { return 'minor' }"
C. "emit(doc['age'] >= 18 ? 'adult' : 'minor')"
D. "emit(doc['age'].value > 18 ? 'adult' : 'minor')"

Solution

  1. Step 1: Check correct painless syntax for runtime fields

    Runtime fields use emit() to output values; accessing field value requires doc['age'].value.

  2. Step 2: Verify conditional logic

    "emit(doc['age'].value >= 18 ? 'adult' : 'minor')" uses ternary operator with >= 18 and emits 'adult' or 'minor' correctly.

  3. Final Answer:

    "emit(doc['age'].value >= 18 ? 'adult' : 'minor')" -> Option A

  4. Quick Check:

    emit() + ternary + doc['age'].value = correct [OK]
Hint: Use emit() with ternary and doc['field'].value for conditions [OK]
Common Mistakes:
  • Using return instead of emit() in runtime fields
  • Accessing doc['age'] without .value
  • Using > instead of >= changing logic