Elasticsearch Interview Questions and Answers: Fundamentals, Architecture, and Operations

This article compiles basic Elasticsearch interview questions and provides concise answers.

Elasticsearch is a distributed, RESTful search and analytics engine built on Lucene, offering real‑time indexing and search, a simple REST API, and scalability for PB‑level data.

Current stable version (as of 2020) is 7.10; early versions required a JDK, later versions bundle it.

To start a node, run ./elasticsearch -d and verify with http:// ES_IP :9200 .

Major companies using Elasticsearch include Alibaba, Tencent, Baidu, JD.com, Meituan, Xiaomi, Didi, Ctrip, Toutiao, and many others.

A cluster consists of multiple nodes; nodes can be master, data, coordinating, ingest, or voting nodes.

An index is analogous to a relational table; types have been deprecated since 7.x.

Mapping defines field types and indexing behavior; examples of creating or updating mapping are shown with PUT test_001/_mapping JSON.

Documents are stored as JSON; shards divide an index, replicas provide high availability.

Index creation uses the Create Index API with settings, mappings, and optional aliases; deletion uses DELETE or wildcard DELETE my_* .

Listing indices: GET _cat/indices . Updating mapping: PUT test_001/_mapping with JSON body.

Retrieving a document by ID: GET test_001/_doc/1 .

Relevance scoring combines term frequency and inverse document frequency.

Search can be performed via DSL ( GET /shirts/_search JSON query), URL parameters, or the SQL endpoint.

Query types include exact match (term, range, etc.) and full‑text (match, multi_match, query_string).

Aggregations (bucket, metric, pipeline) enable statistical analysis of search results.

Data is stored as JSON documents; analyzers (standard, whitespace, stop, keyword) process text, consisting of character filters, tokenizers, and token filters.

Ingest nodes run pipelines for pre‑processing; master nodes manage cluster state, with candidate master nodes ready for election.

Field attributes such as enabled, index, and store control parsing, indexing, and storage behavior.

Elasticsearch provides near‑real‑time (NRT) search with a default refresh interval of 1 second.

REST API offers language‑agnostic, stateless communication for cluster management.

Installation packages are OS‑specific; some features (e.g., machine learning) require a paid license.

Configuration management tools include Ansible, Chef, Puppet, and Salt Stack.

X‑Pack adds security, monitoring, reporting, and alerting capabilities.

Cat API commands (e.g., GET _cat/health , GET _cat/indices ) provide cluster health and statistics.

Explore API (graph) and Migration API are available for advanced use cases.

Search API retrieves data from indices; field data types cover text, keyword, numeric, date, boolean, binary, range, object, nested, and geo types.

The ELK stack (Elasticsearch, Logstash, Kibana, Beats) offers end‑to‑end log collection, processing, storage, and visualization.

Kibana visualizes data; Logstash ingests and transforms data; Beats ship lightweight data streams.

Elastic Reporting (paid) can export results to PDF, PNG, or CSV.

Common use cases include e‑commerce search, fraud detection, market intelligence, risk management, and security analytics.