Make single numeric value searching more performant #108152
Labels
>enhancement
:Search/Search
Search-related issues that do not fall into other categories
Team:Search
Meta label for search team
Comments
benwtrent
added
>enhancement
:Search/Search
|
Pinging @elastic/es-search (Team:Search) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Right now, when we search for a single numerical value (be it ip_address, port, etc.), we utilize the
PointRangeQueryin Lucene with the upper and lower ranges being equivalent.This will likely mean we build a FixedBitSet for the matching documents and this cost can add up significantly. An example of this extreme cost can be seen in various security alert rules that commonly search multiple thousand disjunctions, where each disjunction is a conjunction looking for a single IP address or a single port.
We need to do this better.
Can we optimize the single point case?
Maybe with inspiration from
PointInSetQuery?The text was updated successfully, but these errors were encountered: