Loading

Reading indices from older Elasticsearch versions

Elastic Stack Elastic Cloud Hosted Self Managed

Elasticsearch has full query and write support for indices created in the previous major version. If you have indices created in Elasticsearch versions 5 or 6, you can use the archive functionality to import them into newer Elasticsearch versions as well.

The archive functionality provides slower read-only access to older Elasticsearch data, for compliance or regulatory reasons, the occasional lookback or investigation, or to rehydrate parts of it. Access to the data is expected to be infrequent, and can therefore happen with limited performance and query capabilities.

For this, Elasticsearch can access older snapshot repositories going back to version 5. The legacy indices in the snapshot repository can either be restored or directly accessed through searchable snapshots so that the archived data won’t need to fully reside on local disks for access.

Old mappings are imported as close as possible into Elasticsearch 9, but only provide regular query capabilities on a select subset of fields:

  • Numeric types
  • boolean type
  • ip type
  • geo_point type
  • date types: the date format setting on date fields is supported as long as it behaves similarly across these versions. If it is not, for example, when using custom date formats, this field can be updated on legacy indices so a user can change it if needed.
  • keyword type: The normalizer setting on keyword fields is supported as long as it behaves similarly across these versions. If they do not, they can be updated on legacy indices if necessary.
  • text type: Scoring capabilities are limited, and all queries return constant scores equal to 1.0. The analyzer settings on text fields are supported as long as they behave similarly across these versions. If they don't, they can be updated on legacy indices.
  • Multi-fields
  • Field aliases
  • object fields
  • some basic metadata fields, such as _type for querying Elasticsearch 5 indices
  • runtime fields
  • _source field

Elasticsearch 5 indices with mappings that have multiple mapping types are collapsed together on a best-effort basis before being imported.

If auto-importing mappings does not work, or the new Elasticsearch version doesn't understand the mapping, it falls back to importing the index without the mapping, but stores the original mapping in the _meta section of the imported index. Users can then examine the legacy mapping using the GET mapping API, and manually update the mapping using the update mapping API, copying and adapting relevant sections of the legacy mapping to work with the current Elasticsearch version. While auto-import is expected to work in most cases, any failures should be raised with the Elastic team for future improvements.

Supported APIs

Archive indices are read-only and provide data access through the search and field capabilities APIs. They do not support the Get API or any write APIs.

Archive indices allow running queries and aggregations if the field type supports them.

Due to _source access, the data can also be reindexed to a new index that's fully compatible with the current Elasticsearch version.

Upgrade older Elasticsearch clusters

To upgrade older Elasticsearch 5 or 6 clusters:

  1. Take a snapshot of the indices in the old cluster.
  2. Delete any indices created before 8.0.0.
  3. Upgrade the cluster without the old indices, then restore the legacy indices from the snapshot or mount them using searchable snapshots.