elasticsearch-definitive-guide-en
Introduction
1. Getting started
2. Distributed Cluster
3. Data In Data Out
4. Distributed CRUD
5. Search
6. Mapping Analysis
7. Query DSL
8. 056_Sorting
9. Distributed Search
10. 070_Index_Mgmt
11. 075_Inside_a_shard
- 11.1. 20_Making_text_searchable
- 11.2. 30_dynamic_indices
- 11.3. 40_Near_real_time
- 11.4. 50_Persistent_changes
- 11.5. 60_Segment_merging
12. 080_Structured_Search
- 12.1. 05_term
- 12.2. 10_compoundfilters
- 12.3. 15_terms
- 12.4. 20_contains
- 12.5. 25_ranges
- 12.6. 30_existsmissing
- 12.7. 40_bitsets
- 12.8. 45_filter_order

elasticsearch-definitive-guide-en

[[translog]] === Making Changes Persistent

Without an fsync to flush data in the filesystem cache to disk, we cannot be sure that the data will still ((("persistent changes, making")))((("changes, persisting")))be there after a power failure, or even after exiting the application normally. For Elasticsearch to be reliable, it needs to ensure that changes are persisted to disk.

In <>, we said that a full commit flushes segments to disk and writes a commit point, which lists all known segments.((("commit point"))) Elasticsearch uses this commit point during startup or when reopening an index to decide which segments belong to the current shard.

While we refresh once every second to achieve near real-time search, we still need to do full commits regularly to make sure that we can recover from failure. But what about the document changes that happen between commits? We don't want to lose those either.

Elasticsearch added a translog, or transaction log,((("translog (transaction log)"))) which records every operation in Elasticsearch as it happens. With the translog, the process now looks like this:

When a document is indexed, it is added to the in-memory buffer and appended to the translog, as shown in <>. + [[img-xlog-pre-refresh]] .New documents are added to the in-memory buffer and appended to the transaction log image::images/elas_1106.png["New documents are added to the in-memory buffer and appended to the transaction log"]
The refresh leaves the shard in the state depicted in <>. Once every second, the shard is refreshed:

+

The docs in the in-memory buffer are written to a new segment, without an fsync. The segment is opened to make it visible to search.

** The in-memory buffer is cleared.

[[img-xlog-post-refresh]] .After a refresh, the buffer is cleared but the transaction log is not

image::images/elas_1107.png["After a refresh, the buffer is cleared but the transaction log is not"]

This process continues with more documents being added to the in-memory buffer and appended to the transaction log (see <>). + [[img-xlog-pre-flush]] .The transaction log keeps accumulating documents image::images/elas_1108.png["The transaction log keeps accumulating documents"]

Every so often--such as when the translog is getting too big--the index is flushed; a new translog is created, and a full commit is performed (see <>):
+
Any docs in the in-memory buffer are written to a new segment. The buffer is cleared. A commit point is written to disk. The filesystem cache is flushed with an fsync. ** The old translog is deleted.

The translog provides a persistent record of all operations that have not yet been flushed to disk. When starting up, Elasticsearch will use the last commit point to recover known segments from disk, and will then replay all operations in the translog to add the changes that happened after the last commit.

The translog is also used to provide real-time CRUD. When you try to retrieve, update, or delete a document by ID, it first checks the translog for any recent changes before trying to retrieve the document from the relevant segment. This means that it always has access to the latest known version of the document, in real-time.

[[img-xlog-post-flush]] .After a flush, the segments are fully commited and the transaction log is cleared image::images/elas_1109.png["After a flush, the segments are fully commited and the transaction log is cleared"]

[[flush-api]] ==== flush API

The action of performing a commit and truncating the translog is known in Elasticsearch as a flush. ((("flushes"))) Shards are flushed automatically every 30 minutes, or when the translog becomes too big. See the http://bit.ly/1E3HKbD[`translog` documentation] for settings that can be used((("translog (transaction log)", "flushes and"))) to control these thresholds:

The http://bit.ly/1ICgxiU[`flush` API] can ((("indices", "flushing")))((("flush API")))be used to perform a manual flush:

[source,json]

POST /blogs/_flush <1>

POST /_flush?wait_for_ongoing <2>

<1> Flush the blogs index.

<2> Flush all indices and wait until all flushes have completed before returning.

You seldom need to issue a manual flush yourself; usually, automatic flushing is all that is required.

That said, it is beneficial to <> your indices before restarting a node or closing an index. When Elasticsearch tries to recover or reopen an index, it has to replay all of the operations in the translog, so the shorter the log, the faster the recovery.

.How Safe Is the Translog?

The purpose of the translog is to ensure that operations are not lost. This begs the question: how safe((("translog (transaction log)", "safety of"))) is the translog?

Writes to a file will not survive a reboot until the file has been +fsync+'ed to disk. By default, the translog is +fsync+'ed every 5 seconds. Potentially, we could lose 5 seconds worth of data--if the translog were the only mechanism that we had for dealing with failure.

Fortunately, the translog is only part of a much bigger system. Remember that an indexing request is considered successful only after it has completed on both the primary shard and all replica shards. Even if the node holding the primary shard were to suffer catastrophic failure, it would be unlikely to affect the nodes holding the replica shards at the same time.

While we could force the translog to fsync more frequently (at the cost of indexing performance), it is unlikely to provide more reliability.