Elasticsearch shards are the fundamental building blocks of how your data is distributed and scaled across your cluster.
Let’s see Elasticsearch sharding in action. Imagine you have a small dataset, maybe a few thousand documents, and you start an Elasticsearch cluster with a single node. You index a document:
PUT /my-index/_doc/1
{
"title": "The First Document",
"content": "This is the initial content."
}
Elasticsearch, by default, creates an index with 5 primary shards and 1 replica shard for each primary shard. Even though you only have one node and one document, Elasticsearch sets up this structure in anticipation of growth. When you index that first document, Elasticsearch decides which of the 5 primary shards will house it. For example, it might be my-index_0 (shard 0 of my-index). This primary shard is responsible for storing and indexing the document. Since you have 1 replica configured, Elasticsearch also makes a copy of this shard, let’s say my-index_0 (replica 0 of shard 0), on another node if one exists, or it will wait for a second node to come online to create it. If you only have one node, the replica will remain unassigned until a second node joins.
The problem Elasticsearch shards solve is scalability and availability. If your index grew to be terabytes in size, a single machine might not be able to handle the load or store all the data. By splitting an index into multiple shards, each shard can reside on a different node. This allows you to:
- Scale out: Add more nodes to your cluster, and Elasticsearch can distribute shards across them, increasing your cluster’s capacity for storing data and handling search requests.
- Increase read throughput: Search requests can be executed in parallel across multiple shards and nodes.
- Improve availability: If a node fails, the data on that node is not lost because replicas exist on other nodes. Elasticsearch can then reassign the shard from the failed node to a replica, or create a new replica if needed.
Internally, each shard is a fully functional, self-contained Lucene index. When you perform a search, Elasticsearch broadcasts the request to all relevant primary shards (and their replicas). Each shard processes its portion of the query and returns its results. These partial results are then aggregated by the coordinating node into a final result set.
The key components you control are:
-
Number of Primary Shards: This is set when an index is created and cannot be changed later. It determines the maximum parallelism for indexing and searching and the maximum number of nodes a single index can be spread across. Choosing too few means you can’t scale out effectively. Choosing too many can lead to overhead with more shards to manage and potentially smaller shard sizes, which can be less efficient.
- Configuration Example (Index Creation):
Here,PUT /my-index { "settings": { "index": { "number_of_shards": 3, "number_of_replicas": 1 } } }number_of_shards: 3means the index will be split into 3 primary shards.
- Configuration Example (Index Creation):
-
Number of Replica Shards: This can be changed after an index is created. Replicas provide high availability and increased read capacity. Each replica shard is an exact copy of a primary shard. If a node holding a primary shard goes down, one of its replicas can be promoted to become the new primary.
- Configuration Example (Updating Replicas):
This command increases the number of replicas forPUT /my-index/_settings { "index": { "number_of_replicas": 2 } }my-indexto 2, meaning each primary shard will have two copies.
- Configuration Example (Updating Replicas):
Rebalancing is the process by which Elasticsearch automatically distributes shards across nodes in a cluster. When you add new nodes, Elasticsearch’s cluster manager detects the change and starts moving shards to balance the load and ensure optimal distribution. This is crucial for maintaining performance and availability. If a node is added, Elasticsearch will attempt to move shards to it until the shard count and data size per node are roughly equal. Conversely, if a node is removed, Elasticsearch will reallocate its shards to other available nodes.
The "rebalancing" process isn’t just about adding nodes. Elasticsearch is constantly monitoring shard allocation. If a node becomes overloaded or underutilized, or if a shard becomes unassigned (e.g., due to a node crash), Elasticsearch will initiate a rebalancing operation to move shards to achieve a more even distribution. This ensures that no single node becomes a bottleneck and that your data remains highly available. The rebalancing process happens automatically in the background and can be monitored via the cluster health API.
A key aspect of shard rebalancing is that Elasticsearch tries to avoid placing a primary shard and its replicas on the same physical node. This is a fundamental setting for high availability. If a node fails, and both the primary and its replica were on that node, you’d lose your data. Elasticsearch’s allocation deciders enforce this rule by default. You can, however, configure this behavior, but it’s generally not recommended unless you have a very specific, controlled environment.
When Elasticsearch rebalances shards, it doesn’t just copy data instantaneously. It initiates a shard copy process. A new replica shard is created on the target node, and data is streamed from the existing primary (or another replica) to populate it. During this process, the original primary remains active, and the new replica will catch up. Once the replica is in sync, it becomes available for read requests. This process can consume significant network bandwidth and disk I/O, which is why large rebalancing operations can impact cluster performance.
The "ideal" shard size is a topic of much debate, but generally, Elasticsearch recommends shards between 10GB and 50GB. Too many small shards (e.g., under 1GB) create management overhead and increase the load on the cluster manager. Too few very large shards (e.g., over 100GB) can make rebalancing slow and recovery from node failures a lengthy process. The number of primary shards is fixed at index creation, so it’s important to estimate your data growth and query patterns when setting this value.
The next concept you’ll grapple with is how Elasticsearch handles the aggregation of search results from distributed shards.