Elasticsearch Common Mistakes and How to Prevent Them

Field NotesPlaybooks
Written By Yaugen Drybin

Elasticsearch remains one of the most powerful distributed search and analytics engines available today. It enables near real-time insight at scale — but it’s also deceptively easy to misuse. What starts as a small cluster for log analytics can turn into a sprawling, unstable monster consuming tons of the hardware and returning unpredictable results.

In this article, we’ll look at six most common Elasticsearch pitfalls engineers and architects repeatedly face — and how to avoid them before they cost you time, money, and credibility.

1. Oversharding and Cluster Fragmentation

The problem:

Too many small shards. Every shard in Elasticsearch is a Lucene index with its own file handles, caches, and threads. When you create hundreds (or thousands) of shards per index, cluster coordination overhead goes to the moon. The master node spends more time managing metadata than serving queries.

Impact:

  • “Too many open files” errors

  • High heap usage despite low data volume

  • Slow cluster state updates or failed index creations

How to fix it:

  • Target shard size between 10-50 GB for hot data.

  • Use the _shrink API to consolidate small shards.

  • For time-series data, use Index Lifecycle Management (ILM) to roll over indices automatically.

  • Start with fewer shards and scale up — not the other way around.

2. Dynamic Mapping Gone Wild

The problem:
Dynamic mapping automatically detects new fields and assigns data types. It’s convenient at the beginning — until a log field suddenly changes type and your entire index mapping breaks.

Simple example:

{"status": 200}
{"status": "OK"}

Elasticsearch now sees a conflict: status was integer, now it’s text.

Impact:

  • Indexing failures

  • Data inconsistency

  • Query errors (Fielddata is disabled on text fields)

How to fix it:

  • Always define explicit mappings for structured data.

  • Disable dynamic mapping: "dynamic": "strict"

  • Use ingest pipelines to normalize fields before indexing.

  • Maintain a version-controlled mapping schema in Git.

3. Inefficient Queries and Scripts

The problem:
Elasticsearch makes it easy to build flexible queries — and equally easy to write expensive ones. Poorly designed aggregations or regex-based filters can cripple performance.

Examples:

  • regexp queries on large text fields

  • script_fields performing per-document computation

  • Wildcard searches (*error*) across high-cardinality datasets

Solutions:

  • Use keyword fields for exact matches.

  • Pre-aggregate data with rollup indices or external ETL jobs.

  • Cache frequent queries and leverage request_cache.

  • Profile queries with the _profile API and use slow logs.

4. Misconfigured Memory and JVM Heap

The problem:
Elasticsearch runs on the JVM, so proper heap tuning is critical. Too little memory causes GC pressure; too much leads to OS-level swapping.

Guidelines:

  • Set heap to 50% of system RAM, max 30–32 GB.

  • Disable swap (bootstrap.memory_lock: true).

  • Use G1GC (default since 7.x) and monitor GC pauses.

  • Keep the OS page cache healthy — it’s essential for Lucene performance.

5. Ignoring Index Lifecycle Management

The problem:
Clusters grow endlessly because old indices are never deleted. The result: skyrocketing storage, sluggish searches, and expensive nodes.

Solution:

  • Define an ILM policy to automate rollovers, warm/cold transitions, and deletions.

  • Archive historical data to S3 using snapshot/restore.

  • Use frozen tier for rare access logs instead of deleting them outright.

6. Skipping Monitoring and Alerting

The problem:
Without telemetry, you’ll never know a node is failing until users complain.

What to monitor:

  • Heap usage and GC pauses

  • Indexing latency and queue rejections

  • Shard relocation events

  • Disk watermarks (85% = danger zone)

Tools:

  • Elastic’s own Kibana Stack Monitoring

  • Prometheus + Grafana with elasticsearch_exporter

  • External solutions like Datadog, New Relic, or OpenTelemetry

Golden rule: if you can’t visualize it, you can’t fix it.

Conclusion

Elasticsearch is like a F1 car: it delivers incredible speed, but demands precise tuning. Most performance and stability issues come from neglecting the basics — shard sizing, schema control, resource management, and lifecycle hygiene.

If you’re struggling with unpredictable cluster performance, ballooning costs, or unclear search behavior, I can help you:

  • Audit your existing Elasticsearch setup and identify inefficiencies.

  • Redesign your indexing and lifecycle policies for sustainable scale.

  • Implement monitoring, alerting, and query optimization frameworks.

  • Create cost-efficient architectures that balance performance and reliability.

Reach out if you want to transform Elasticsearch from a maintenance headache into a well-oiled search engine that actually supports your business goals.

Yaugen Drybin
Next

How SRE Culture Drives Scale