Shards and replicas in Elasticsearch

Question

I am trying to understand what shard and replica is in Elasticsearch, but I didn't manage to understand it. If I download Elasticsearch and run the script, then from what I know I have started a cluster with a single node. Now this node (my PC) have 5 shards (?) and some replicas (?).

What are they, do I have 5 duplicates of the index? If so why? I could need some explanation.

Answer 1

I'll try to explain with a real example since the answer and replies you got don't seem to help you.

When you download elasticsearch and start it up, you create an elasticsearch node which tries to join an existing cluster if available or creates a new one. Let's say you created your own new cluster with a single node, the one that you just started up. We have no data, therefore we need to create an index.

When you create an index (an index is automatically created when you index the first document as well) you can define how many shards it will be composed of. If you don't specify a number it will have the default number of shards: 5 primaries. What does it mean?

It means that elasticsearch will create 5 primary shards that will contain your data:

 ____    ____    ____    ____    ____
| 1  |  | 2  |  | 3  |  | 4  |  | 5  |
|____|  |____|  |____|  |____|  |____|

Every time you index a document, elasticsearch will decide which primary shard is supposed to hold that document and will index it there. Primary shards are not a copy of the data, they are the data! Having multiple shards does help taking advantage of parallel processing on a single machine, but the whole point is that if we start another elasticsearch instance on the same cluster, the shards will be distributed in an even way over the cluster.

Node 1 will then hold for example only three shards:

 ____    ____    ____ 
| 1  |  | 2  |  | 3  |
|____|  |____|  |____|

Since the remaining two shards have been moved to the newly started node:

 ____    ____
| 4  |  | 5  |
|____|  |____|

Why does this happen? Because elasticsearch is a distributed search engine and this way you can make use of multiple nodes/machines to manage big amounts of data.

Every elasticsearch index is composed of at least one primary shard since that's where the data is stored. Every shard comes at a cost, though, therefore if you have a single node and no foreseeable growth, just stick with a single primary shard.

Another type of shard is a replica. The default is 1, meaning that every primary shard will be copied to another shard that will contain the same data. Replicas are used to increase search performance and for fail-over. A replica shard is never going to be allocated on the same node where the related primary is (it would pretty much be like putting a backup on the same disk as the original data).

Back to our example, with 1 replica we'll have the whole index on each node, since 2 replica shards will be allocated on the first node and they will contain exactly the same data as the primary shards on the second node:

 ____    ____    ____    ____    ____
| 1  |  | 2  |  | 3  |  | 4R |  | 5R |
|____|  |____|  |____|  |____|  |____|

Same for the second node, which will contain a copy of the primary shards on the first node:

 ____    ____    ____    ____    ____
| 1R |  | 2R |  | 3R |  | 4  |  | 5  |
|____|  |____|  |____|  |____|  |____|

With a setup like this, if a node goes down, you still have the whole index. The replica shards will automatically become primaries and the cluster will work properly despite the node failure, as follows:

 ____    ____    ____    ____    ____
| 1  |  | 2  |  | 3  |  | 4  |  | 5  |
|____|  |____|  |____|  |____|  |____|

Since you have "number_of_replicas":1, the replicas cannot be assigned anymore as they are never allocated on the same node where their primary is. That's why you'll have 5 unassigned shards, the replicas, and the cluster status will be YELLOW instead of GREEN. No data loss, but it could be better as some shards cannot be assigned.

As soon as the node that had left is backed up, it'll join the cluster again and the replicas will be assigned again. The existing shard on the second node can be loaded but they need to be synchronized with the other shards, as write operations most likely happened while the node was down. At the end of this operation, the cluster status will become GREEN.

Hope this clarifies things for you.

Answer 2

An index is broken into shards in order to distribute them and scale.

Replicas are copies of the shards and provide reliability if a node is lost. There is often confusion in this number because replica count == 1 means the cluster must have the main and a replicated copy of the shard available to be in the green state.

In order for replicas to be created, you must have at least 2 nodes in your cluster.

You may find the definitions here easier to understand: http://www.elasticsearch.org/guide/reference/glossary/

Best Regards, Paul

Answer 3

Shard:

1. Being distributed search server, ElasticSearch uses concept called Shard to distribute index documents across all nodes.
2. An index can potentially store a large amount of data that can exceed the hardware limits of a single node
3. For example, a single index of a billion documents taking up 1TB of disk space may not fit on the disk of a single node or may be too slow to serve search requests from a single node alone.
4. To solve this problem, Elasticsearch provides the ability to subdivide your index into multiple pieces called shards.
5. When you create an index, you can simply define the number of shards that you want.
6. Documents are stored in shards, and shards are allocated to nodes in your cluster
7. As your cluster grows or shrinks, Elasticsearch will automatically migrate shards between nodes so that the cluster remains balanced.
8. A shard can be either a primary shard or a replica shard.
9. Each document in your index belongs to a single primary shard, so the number of primary shards that you have determines the maximum amount of data that your index can hold
10. A replica shard is just a copy of a primary shard.

Replica:

1. Replica shard is the copy of primary Shard, to prevent data loss in case of hardware failure.
2. Elasticsearch allows you to make one or more copies of your index’s shards into what are called replica shards, or replicas for short.
3. An index can also be replicated zero (meaning no replicas) or more times.
4. The number of shards and replicas can be defined per index at the time the index is created.
5. After the index is created, you may change the number of replicas dynamically anytime but you cannot change the number of shards after-the-fact.
6. By default, each index in Elasticsearch is allocated 5 primary Shards and 1 replica which means that if you have at least two nodes in your cluster, your index will have 5 primary shards and another 5 replica shards (1 complete replica) for a total of 10 shards per index.

Answer 4

If you really don't like to see it yellow. you can set the number of replicas to be zero:

curl -XPUT 'localhost:9200/_settings' -d '
{
    "index" : {
        "number_of_replicas" : 0
    }
}
'

Note that you should do this only on your local development box.

Answer 5

An index is broken into shards in order to distribute them and scale.

Replicas are copies of the shards.

A node is a running instance of elastic search which belongs to a cluster.

A cluster consists of one or more nodes which share the same cluster name. Each cluster has a single master node which is chosen automatically by the cluster and which can be replaced if the current master node fails.

Answer 6

I will explain this using a real word scenarios. Imagine you are a running a ecommerce website. As you become more popular more sellers and products add to your website. You will realize the number of products you might need to index has grown and it is too large to fit in one hard disk of one node. Even if it fits in to hard disk, performing a linear search through all the documents in one machine is extremely slow. one index on one node will not take advantage of the distributed cluster configuration on which the elasticsearch works.

So elasticsearch splits the documents in the index across multiple nodes in the cluster. Each and every split of the document is called a shard. Each node carrying a shard of a document will have only a subset of the document. suppose you have 100 products and 5 shards, each shard will have 20 products. This sharding of data is what makes low latency search possible in elasticsearch. search is conducted parallel on multiple nodes. Results are aggregated and returned. However the shards doesnot provide fault tolerance. Meaning if any node containing the shard is down, the cluster health becomes yellow. Meaning some of the data is not available.

To increase the fault tolerance replicas come in to picture. By deault elastic search creates a single replica of each shard. These replicas are always created on a other node where the primary shard is not residing. So to make the system fault tolerant, you might have to increase the number of nodes in your cluster and it also depends on number of shards of your index. The general formula to calculate the number of nodes required based on replicas and shards is "number of nodes = number of shards*(number of replicas + 1)".The standard practice is to have atleast one replica for fault tolerance.

Setting up the number of shards is a static operation, meaning you have to specify it when you are creating an index. Any change after that woulf require complete reindexing of data and will take time. But, setting up number of replicas is a dynamic operation and can be done at any time after index creation also.

you can setup the number of shards and replicas for your index with the below command.

curl -XPUT 'localhost:9200/sampleindex?pretty' -H 'Content-Type: application/json' -d '
{
  "settings":{
    "number_of_shards":2,
    "number_of_replicas":1
  }
}'

Answer 7

In its simplest terms, the shard is nothing but a part of an index that stored on the disk within a separated folder:

This screenshot shows the entire Elasticsearch directory.

As you can see, all the data goes into the data directory.

By inspecting the index C-mAfLltQzuas72iMiIXNw we see that it has five shards (folders 0 to 4).

In other hand, the JH_A8PgCRj-GK0GeQ0limw index has only one shard (0 folder).

The pri shows the total number of shards.

Answer 8

Not an answer but another reference for core concepts to ElasticSearch, and I think they are pretty clear as compliment to @javanna's answer.

Shards

An index can potentially store a large amount of data that can exceed the hardware limits of a single node. For example, a single index of a billion documents taking up 1TB of disk space may not fit on the disk of a single node or may be too slow to serve search requests from a single node alone.

To solve this problem, Elasticsearch provides the ability to subdivide your index into multiple pieces called shards. When you create an index, you can simply define the number of shards that you want. Each shard is in itself a fully-functional and independent "index" that can be hosted on any node in the cluster.

Sharding is important for two primary reasons:

• It allows you to horizontally split/scale your content volume.
• It allows you to distribute and parallelize operations across shards (potentially on multiple nodes) thus increasing performance/throughput.

Replicas

In a network/cloud environment where failures can be expected anytime, it is very useful and highly recommended to have a failover mechanism in case a shard/node somehow goes offline or disappears for whatever reason. To this end, Elasticsearch allows you to make one or more copies of your index’s shards into what are called replica shards, or replicas for short.

Replication is important for two primary reasons:

• It provides high availability in case a shard/node fails. For this reason, it is important to note that a replica shard is never allocated on the same node as the original/primary shard that it was copied from.
• It allows you to scale out your search volume/throughput since searches can be executed on all replicas in parallel.

Answer 9

Elasticsearch is superbly scalable with all the credit goes to its distributed architecture. It is made possible due to Sharding. Now, before moving further into it, let us consider a simple and very common use case. Let us suppose, you have an index which contains a hell lot of documents, and for the sake of simplicity, consider that the size of that index is 1 TB (i.e, Sum of sizes of each and every document in that index is 1 TB). Also, assume that you have two Nodes each with 512 GB of space available for storing data. As can be seen clearly, our entire index cannot be stored in any of the two nodes available and hence we need to distribute our index among these Nodes.

In cases like this where the size of an index exceeds the hardware limits of a single node, Sharding comes to the rescue. Sharding solves this problem by dividing the indices into smaller pieces and these pieces are named as Shards.

Answer 10

In ElasticSearch, at the top level we index the documents into indices. Each index has number of shards which internally distributes the data and inside shards exist the Lucene segments which is the core storage of the data. So if the index has 5 shards it means data has been distributed across the shards and not same data exist into the shards.

Watch out for the video which explains core of ES https://www.youtube.com/watch?v=PpX7J-G2PEo

Article on multiple indices or multiple shards Elastic search, multiple indexes vs one index and types for different data sets?