search

elastic / elasticsearch

Free and Open, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
68.54k stars 24.35k forks source link

Make single numeric value searching more performant #108152

Open benwtrent opened 2 months ago

benwtrent commented 2 months ago

Description

Right now, when we search for a single numerical value (be it ip_address, port, etc.), we utilize the PointRangeQuery in Lucene with the upper and lower ranges being equivalent.

This will likely mean we build a FixedBitSet for the matching documents and this cost can add up significantly. An example of this extreme cost can be seen in various security alert rules that commonly search multiple thousand disjunctions, where each disjunction is a conjunction looking for a single IP address or a single port.

We need to do this better.

Can we optimize the single point case?

Maybe with inspiration from PointInSetQuery?

elasticsearchmachine commented 2 months ago

Pinging @elastic/es-search (Team:Search)