Technical

Validation & Queries

Cluster health verification, Korean search demonstrations, aggregation results, and snapshot validation.

Cluster Health

Status

GREEN

All shards allocated

Nodes

3

3 data, 3 master-eligible

Active Shards

100%

0 unassigned

Indices

2

maclab-logs + support-tickets

GET _cluster/healthjson
{
  "cluster_name": "maclab-es",
  "status": "green",
  "timed_out": false,
  "number_of_nodes": 3,
  "number_of_data_nodes": 3,
  "active_primary_shards": 11,
  "active_shards": 22,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 0,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "active_shards_percent_as_number": 100.0
}

GREEN means all primary and replica shards are allocated. With 11 primary shards and 1 replica each, we have 22 total shards distributed across 3 nodes. The system indices (.security, .kibana, etc.) contribute to the shard count beyond our 2 user indices.

Korean Search Results

Multi-match query: "클러스터 상태"json
GET support-tickets/_search
{
  "query": {
    "multi_match": {
      "query": "클러스터 상태",
      "fields": ["title^2", "description"],
      "analyzer": "korean"
    }
  },
  "highlight": {
    "fields": {
      "title": {},
      "description": {}
    }
  }
}

// 3 results returned:
// 1. T001 — "클러스터 상태 RED 긴급 대응"
//    Highlight: "<em>클러스터</em> <em>상태</em> RED 긴급 대응"
//    Score: 4.82
//
// 2. T005 — "클러스터 성능 모니터링 설정"
//    Highlight: "<em>클러스터</em> 성능 모니터링 설정"
//    Score: 1.23
//
// 3. T008 — "클러스터 노드 추가 후 샤드 재배치"
//    Highlight: "<em>클러스터</em> 노드 추가 후 샤드 재배치"
//    Score: 0.95

The title field is boosted 2x (title^2) so title matches score higher than description matches. The Nori analyzer decomposes compound Korean words into morphemes, enabling partial matches (e.g., "클러스터" matches even when the full phrase "클러스터 상태" is not present).

Aggregation Results

Severity Breakdown

critical
2
high
3
medium
3
low
2

Product Distribution

elasticsearch5 tickets
kibana3 tickets
elastic-agent2 tickets
Aggregation queryjson
GET support-tickets/_search
{
  "size": 0,
  "aggs": {
    "severity_breakdown": {
      "terms": { "field": "severity" }
    },
    "product_distribution": {
      "terms": { "field": "product" }
    },
    "avg_resolution_time": {
      "avg": { "field": "resolution_hours" }
    }
  }
}

// avg_resolution_time: 5.2 hours

Average Resolution Time

5.2hours average

Across 10 support tickets, the average resolution time is 5.2 hours. Critical tickets average 2.5 hours, while low-severity tickets average 8.0 hours. This metric is useful for SLA tracking and capacity planning in a real support organization.

Log Level Aggregation

GET maclab-logs-*/_searchjson
{
  "size": 0,
  "aggs": {
    "log_levels": {
      "terms": { "field": "log_level" }
    }
  }
}

// Results:
// info:  8 documents
// warn:  4 documents
// error: 3 documents

Snapshot Validation

GET _snapshot/maclab-backup/snapshot_1json
{
  "snapshots": [{
    "snapshot": "snapshot_1",
    "uuid": "abc123...",
    "state": "SUCCESS",
    "indices": [
      "maclab-logs-2024.01",
      "support-tickets"
    ],
    "shards": {
      "total": 3,
      "failed": 0,
      "successful": 3
    },
    "start_time": "2024-01-20T10:00:00.000Z",
    "end_time": "2024-01-20T10:00:02.500Z",
    "duration_in_millis": 2500
  }]
}

Snapshot completed successfully in 2.5 seconds, backing up all 3 shards across both user indices. The snapshot repository is configured as a shared filesystem repository mounted across all nodes. In production, you would typically use S3, GCS, or Azure Blob Storage for snapshot storage.