Top 33 Essential Elasticsearch Interview Questions and Answers

1. Brief Introduction to Elasticsearch

Elasticsearch is a distributed, RESTful search and analytics engine that stores data centrally and helps discover expected and unexpected insights. It is built on Lucene, provides full‑text search, and is open‑source under the Apache license.

Distributed real‑time document storage with every field indexed for search.

Distributed real‑time analytics with near‑second response on massive data.

Simple RESTful API compatible with many programming languages.

Scalable to handle petabytes of structured or unstructured data.

2. Current Stable Elasticsearch Version

The latest stable version at the time of writing is 7.10 (released on 2020‑11‑21). Knowing the latest version shows awareness of rapid ES updates.

3. Installation Dependencies

Early ES versions required a JDK, but from 7.x onward the JDK is bundled, so no external dependencies are needed.

4. How to Start an Elasticsearch Server

Run the following command from the bin directory to start ES in the background: ./elasticsearch -d Then open http://<em>ES_IP</em>:9200 in a browser to verify the cluster is up. If startup fails, check the logs for error details.

5. Companies Using Elasticsearch

Many major internet companies use Elasticsearch, including (not exhaustive): Alibaba, Tencent, Baidu, JD.com, Meituan, Xiaomi, Didi, Ctrip, ByteDance, Beike, 360, IBM, SF Express.

6. What Is an Elasticsearch Cluster?

An Elasticsearch cluster is a group of one or more connected Elasticsearch node instances that share tasks, perform searches, and build indices.

7. What Is an Elasticsearch Node?

A node is a single Elasticsearch process, typically deployed on its own server, VM, or container. Nodes have roles such as master, data, client (coordinating), and ingest.

Master node – manages cluster-wide operations like creating or deleting indices.

Data node – stores data and executes CRUD, search, and aggregation operations.

Client/Coordinating node – forwards requests to master or data nodes.

Ingest node – preprocesses documents before indexing.

8. Concept of an Index in a Cluster

An index in Elasticsearch is analogous to a table in a relational database; a cluster can contain many indices.

9. Concept of Type in an Index

Older ES versions (5.x, 2.x, 1.x) allowed multiple types per index. From 6.0 onward an index can have only one mapping type, and types are removed in 7.0 and fully deleted in 8.0.

10. Defining a Mapping

Mapping defines how documents and their fields are stored and indexed, e.g., which string fields are text, which are keyword, numeric, date, or geo types, and custom rules for dynamic field addition.

11. What Is a Document?

A document is a JSON object stored in Elasticsearch, equivalent to a row in a relational table.

12. What Are Shards?

Sharding splits an index into smaller pieces to improve search latency and scalability when data volume grows.

13. Replicas and Their Benefits

Replicas are copies of primary shards that increase query throughput under heavy load and provide high availability; if a primary fails, a replica is promoted.

14. Adding or Creating an Index

Use the Create Index API with settings, mappings, and optional aliases. Templates can also be used to create indices.

15. Deleting an Index Syntax

DELETE <index_name>

Wildcards are supported, e.g., DELETE my_*.

16. List All Indices

GET _cat/indices

17. Update Mapping Syntax

PUT test_001/_mapping
{
  "properties": {
    "title": {"type": "keyword"}
  }
}

18. Retrieve Document by ID

GET test_001/_doc/1

19. Relevance and Scoring

Relevance is calculated by Lucene’s scoring algorithm based on term frequency and inverse document frequency; higher scores indicate more relevant results.

20. Ways to Search in Elasticsearch

1) DSL query (JSON body).

GET /shirts/_search
{
  "query": {
    "bool": {
      "filter": [
        {"term": {"color": "red"}},
        {"term": {"brand": "gucci"}}
      ]
    }
  }
}

2) URL query string. GET /my_index/_search?q=user:seina 3) SQL‑like query (experimental).

POST /_sql?format=txt
{
  "query": "SELECT * FROM my_index ORDER BY itemid DESC LIMIT 5"
}

21. Types of Queries

Exact match queries: term, exists, terms, range, prefix, ids, wildcard, regexp, fuzzy, etc.

Full‑text queries: match, match_phrase, multi_match, match_phrase_prefix, query_string, etc.

22. Exact vs Full‑Text Matching

Exact match checks for complete equality (e.g., ZIP code, ID). Full‑text match evaluates relevance (e.g., searching for “Apple” returns both fruit and company results).

23. What Is Aggregation?

Aggregations compute statistics over query results, useful for metrics like average load time, top customers, file size distribution, product counts, etc.

Bucket aggregations – group documents by field values or ranges.

Metric aggregations – calculate sums, averages, etc.

Pipeline aggregations – process outputs of other aggregations.

Sub‑aggregations – nested aggregations.

24. Data Storage in Elasticsearch

Data is indexed as JSON documents according to the defined mapping, which determines how fields are stored and searchable.

25. What Is an Analyzer?

An analyzer processes text for indexing and searching; it consists of a character filter, tokenizer, and token filter.

26. Types of Analyzers

Standard Analyzer – default, Unicode‑based tokenizer.

Whitespace Analyzer – splits on spaces.

Stop Analyzer – removes stop words.

Keyword Analyzer – does not tokenize, indexes the whole string.

27. Using a Tokenizer

A tokenizer receives a character stream (after optional character filtering) and produces tokens with position, start_offset, and end_offset.

28. Token Filter Function

Token filters further process token streams, e.g., lowercasing, removing stop words, adding synonyms.

29. Ingest Node Function

An ingest node preprocesses documents before indexing using pipelines, similar to Logstash filters.

30. Master vs. Candidate Master Nodes

Master nodes manage cluster-wide operations like index creation and shard allocation. Candidate master nodes are eligible to become the master.

31. Field Attributes: enabled, index, store

enabled:false – skips parsing of the field (cannot be searched).

index:false – field is not indexed and cannot be queried.

store:true – stores the field separately for retrieval without loading the _source.

32. Character Filters in Analyzers

Character filters transform the raw text stream before tokenization, e.g., HTML stripping, mapping, or regex replacement.

HTML Strip Character Filter – removes HTML tags and decodes entities.

Mapping Character Filter – replaces specified characters.

Pattern Replace Character Filter – uses regex for replacements.

33. Near‑Real‑Time (NRT) Search

Elasticsearch provides near‑real‑time search with a default refresh interval of 1 second; this can be tuned (e.g., refresh_interval=30s) for write‑heavy workloads.

34. Advantages of REST API

REST is stateless, language‑agnostic, and separates the UI from the server, enhancing portability, scalability, and flexibility for Elasticsearch operations.

35. Installation Packages

Download the appropriate package for your OS from the official site; some features (e.g., machine learning, advanced security) are commercial.

36. Configuration Management Tools

Ansible

Chef

Puppet

Salt Stack

37. X‑Pack Features

X‑Pack adds security (role‑based access, TLS), monitoring, reporting, alerting, machine learning, and more to Elasticsearch.

38. X‑Pack APIs

Security APIs (e.g., setup‑passwords) are commonly used; other APIs include machine learning, Watcher, and migration.

39. Example X‑Pack Command

Setting passwords for security: setup‑passwords.

40. cat API Purpose

The cat API provides concise, human‑readable information about cluster health, nodes, indices, shards, allocation, and more.

41. Common cat Commands

GET _cat/aliases?v

GET _cat/allocation

GET _cat/count?v

GET _cat/fielddata?v

GET _cat/health?

GET _cat/indices?v

GET _cat/master?v

GET _cat/nodeattrs?v

GET _cat/nodes?v

GET _cat/pending_tasks?v

GET _cat/plugins?v

GET _cat/recovery?v

GET _cat/repositories?v

GET _cat/segments?v

GET _cat/shards?v

GET _cat/snapshots?v

GET _cat/tasks?v

GET _cat/templates?v

GET _cat/thread_pool?v

42. Explore API

The Explore API (part of Graph) is a paid feature for graph exploration.

43. Migration API

The Migration API helps upgrade X‑Pack indices between Elasticsearch versions.

44. Search API

Search API retrieves data from indices, optionally routing queries to specific shards.

45. Common Field Data Types

String: text (full‑text) and keyword (exact).

Numeric: byte, short, integer, long, float, double, half_float, scaled_float.

Date, boolean, binary, range types, object/nested, geo, and array types.

46. ELK Stack Overview

ELK consists of Elasticsearch (search), Logstash (ETL), Kibana (visualization), Beats (lightweight shippers), and X‑Pack (security, monitoring, etc.).

47. Kibana Role

Kibana provides a web UI for visualizing Elasticsearch data with drag‑and‑drop charts.

48. Logstash Integration

Logstash collects, transforms, and forwards data to Elasticsearch, supporting logs, databases, Kafka, Redis, etc.

49. Beats Integration

Beats are lightweight data shippers that send data directly to Elasticsearch or via Logstash.

50. Elastic Reporting

Reporting (paid) generates PDF, PNG, or CSV outputs from search results.

51. ELK Use Cases

E‑commerce search

Fraud detection

Market intelligence

Risk management

Security analytics