📊🔍 OpenSearch Dashboards: Optimizing Massive Data Queries (Big Data) with Asynchronous Search

This content originally appeared on DEV Community and was authored by João Victor

Working with logs, telemetry, or large-scale datasets in OpenSearch can result in slow and heavy queries. This guide covers everything a Tech Lead needs to know about optimizing searches using the Asynchronous Search API in OpenSearch Dashboards.

🧩 Architecture and Concepts

OpenSearch consists of:

Cluster → group of nodes that store and process data.
Shards → distributed index fragments.
Dashboards → visualization interface and REST Dev Tools.
Plugins → extensions such as Security, Reports, and Asynchronous Search.

The asynchronous search (_plugins/_asynchronous_search) executes queries in the background, allowing progress tracking, cancellation, or retrieval without blocking the client.

Simplified flow:

[Dashboards / API]
   ↓
POST /_plugins/_asynchronous_search
   ↓
→ Cluster processes the query in the background
   ↓
← Returns ID
   ↓
GET /_plugins/_asynchronous_search/{id}
DELETE /_plugins/_asynchronous_search/{id}

⚙️ Full Request Example

POST /_plugins/_asynchronous_search?index=logs*,events*&keep_on_completion=true&wait_for_completion_timeout=2s
{
  "size": 5000,
  "track_total_hits": false,
  "_source": ["timestamp", "source_ip", "event_type"],
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": { "gte": "now-30d" }
          }
        }
      ],
      "must": [
        {
          "query_string": {
            "query": "*malware*",
            "fields": ["message", "event_type"],
            "analyze_wildcard": true,
            "allow_leading_wildcard": true
          }
        }
      ]
    }
  }
}

✅ Expected Response (simplified)

{
  "id": "F3B7E5A6-24C3-11EF-AEA3-12AB34CD56EF",
  "is_partial": false,
  "is_running": true,
  "response": {
    "took": 134,
    "timed_out": false,
    "hits": { "total": 2381, "hits": [] }
  }
}

🧠 Synchronous vs Asynchronous Search

Type	Endpoint	Blocks Client	Ideal for
Synchronous	`POST /_search`	✅ Yes	Fast queries (<5s)
Asynchronous	`POST /_plugins/_asynchronous_search`	❌ No	Big Data, reports, multi-index queries

Asynchronous search immediately returns an ID, and processing continues on the server side.

📈 Key Parameters

Parameter	Description	Example	Notes
`index`	Target indices	`logs, events`	Use wildcards cautiously
`keep_on_completion`	Keeps result after completion	`true`	Required for later retrieval
`wait_for_completion_timeout`	Initial wait before returning ID	`2s`	Keeps client responsive
`keep_alive`	Result retention period	`1d`, `7d`	Useful for scheduled reports
`track_total_hits`	Counts all documents	`false`	Disable for Big Data
`_source`	Returned fields	`["timestamp", "message"]`	Avoid wildcard `*`

🔍 Query Structure

Optimized example:

{
  "bool": {
    "filter": [
      { "range": { "@timestamp": { "gte": "now-7d" } } }
    ],
    "must": [
      { "match": { "event_type": "unauthorized_access" } }
    ]
  }
}

Expected Output:

{
  "hits": {
    "total": 542,
    "max_score": 1.0,
    "hits": [
      {
        "_index": "logs-2025.11",
        "_id": "Dfgh12345",
        "_source": {
          "timestamp": "2025-11-03T22:14:25Z",
          "event_type": "unauthorized_access",
          "source_ip": "192.168.3.24"
        }
      }
    ]
  }
}

⚡Performance Tips

Prefer filter for exact and date fields (cacheable).
Avoid leading wildcards (*malware* → slow).
Reduce size (1k–5k) and use scroll or search_after.
Adjust refresh_interval for static indices.
Monitor heap with _nodes/stats/jvm.
Disable track_total_hits for non-analytic searches.

🧮 Monitoring and Management

Check progress

GET /_plugins/_asynchronous_search/F3B7E5A6-24C3-11EF-AEA3-12AB34CD56EF

Expected Output:

{
  "id": "F3B7E5A6-24C3-11EF-AEA3-12AB34CD56EF",
  "is_running": false,
  "is_partial": false,
  "response": {
    "took": 3210,
    "hits": { "total": 2381, "hits": [...] }
  }
}

Global statistics

GET /_plugins/_asynchronous_search/stats

Expected Output:

{
  "total": {
    "submitted": 102,
    "completed": 95,
    "running": 7,
    "failed": 0
  }
}

Cancel or delete old searches

DELETE /_plugins/_asynchronous_search/F3B7E5A6-24C3-11EF-AEA3-12AB34CD56EF

🔒 Security and Access Control

Required permission: cluster:admin/opensearch/asynchronous_search/*
Results stored in internal indices (.opendistro-asynchronous-search*)
Always enable TLS and authentication (BasicAuth, JWT, or SAML).
Use DLS/FLS to restrict sensitive data.
Perform periodic cleanup of old searches.

📚 References

This content originally appeared on DEV Community and was authored by João Victor

Print Share Comment Cite Upload Translate Updates

APA

João Victor | Sciencx (2025-11-05T00:47:17+00:00) 📊🔍 OpenSearch Dashboards: Optimizing Massive Data Queries (Big Data) with Asynchronous Search. Retrieved from https://www.scien.cx/2025/11/05/%f0%9f%93%8a%f0%9f%94%8d-opensearch-dashboards-optimizing-massive-data-queries-big-data-with-asynchronous-search/

MLA

" » 📊🔍 OpenSearch Dashboards: Optimizing Massive Data Queries (Big Data) with Asynchronous Search." João Victor | Sciencx - Wednesday November 5, 2025, https://www.scien.cx/2025/11/05/%f0%9f%93%8a%f0%9f%94%8d-opensearch-dashboards-optimizing-massive-data-queries-big-data-with-asynchronous-search/

HARVARD

João Victor | Sciencx Wednesday November 5, 2025 » 📊🔍 OpenSearch Dashboards: Optimizing Massive Data Queries (Big Data) with Asynchronous Search., viewed ,<https://www.scien.cx/2025/11/05/%f0%9f%93%8a%f0%9f%94%8d-opensearch-dashboards-optimizing-massive-data-queries-big-data-with-asynchronous-search/>

VANCOUVER

João Victor | Sciencx - » 📊🔍 OpenSearch Dashboards: Optimizing Massive Data Queries (Big Data) with Asynchronous Search. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2025/11/05/%f0%9f%93%8a%f0%9f%94%8d-opensearch-dashboards-optimizing-massive-data-queries-big-data-with-asynchronous-search/

CHICAGO

" » 📊🔍 OpenSearch Dashboards: Optimizing Massive Data Queries (Big Data) with Asynchronous Search." João Victor | Sciencx - Accessed . https://www.scien.cx/2025/11/05/%f0%9f%93%8a%f0%9f%94%8d-opensearch-dashboards-optimizing-massive-data-queries-big-data-with-asynchronous-search/

IEEE

" » 📊🔍 OpenSearch Dashboards: Optimizing Massive Data Queries (Big Data) with Asynchronous Search." João Victor | Sciencx [Online]. Available: https://www.scien.cx/2025/11/05/%f0%9f%93%8a%f0%9f%94%8d-opensearch-dashboards-optimizing-massive-data-queries-big-data-with-asynchronous-search/. [Accessed: ]

rf:citation

» 📊🔍 OpenSearch Dashboards: Optimizing Massive Data Queries (Big Data) with Asynchronous Search | João Victor | Sciencx | https://www.scien.cx/2025/11/05/%f0%9f%93%8a%f0%9f%94%8d-opensearch-dashboards-optimizing-massive-data-queries-big-data-with-asynchronous-search/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

🧩 Architecture and Concepts

⚙️ Full Request Example

✅ Expected Response (simplified)

🧠 Synchronous vs Asynchronous Search

📈 Key Parameters

🔍 Query Structure

⚡Performance Tips

🧮 Monitoring and Management

Check progress

Global statistics

Cancel or delete old searches

🔒 Security and Access Control

📚 References

Related Posts