OpenSearch is an open source, distributed search and analytics suite, forked from Elasticsearch 7.10 in 2021 by AWS and, since September 2024, maintained by an open community under the OpenSearch Software Foundation - a Linux Foundation project. It includes a search engine (OpenSearch), a visualization UI (OpenSearch Dashboards, forked from Kibana), and a broad set of plugins for security, alerting, anomaly detection, observability, and ML.
If Elasticsearch is "the thing you Google with," OpenSearch is the same engine under a permissive Apache 2.0 license, with a different governance model and a different commercial ecosystem.
Where OpenSearch Came From
In January 2021, Elastic NV relicensed Elasticsearch and Kibana from Apache 2.0 to a dual license (SSPL and Elastic License v2), which is not OSI-recognized as open source. AWS, which had been offering managed Elasticsearch as part of Amazon ES, forked the last permissively-licensed release (Elasticsearch 7.10 and Kibana 7.10) and launched OpenSearch in April 2021.
OpenSearch is now governed by the OpenSearch Software Foundation, launched under the Linux Foundation in September 2024. Premier members include AWS, SAP, and Uber; general members include Aiven, Aryn, Atlassian, Canonical, DigitalOcean, Eliatra, Graylog, NetApp Instaclustr, and Portal26. Elastic retains the Elasticsearch trademark; the two projects have diverged in features, internals, and APIs since the fork.
In 2024, Elastic also reintroduced an Affero GPL (AGPL) open-source licensing option for Elasticsearch alongside the existing licenses. The two ecosystems remain distinct: separate code bases, separate releases, separate plugin sets.
What's in OpenSearch
OpenSearch ships as a suite, not just a single binary:
| Component | What it is |
|---|---|
| OpenSearch | The search/analytics engine - distributed Lucene index, REST API |
| OpenSearch Dashboards | Visualization and UI, forked from Kibana 7.10 |
| Security plugin | Authentication, authorization, audit logging - built in, no separate subscription |
| Alerting plugin | Monitor and alert on query results, anomaly detection |
| Anomaly Detection plugin | ML-based time-series anomaly detection |
| Observability plugin | Logs, metrics, traces - PPL and Trace Analytics |
| k-NN plugin | Vector search (HNSW, IVF, Lucene, FAISS) |
| Neural Search and ML Commons | ML model serving, semantic search, hybrid retrieval |
| SQL plugin | SQL-style queries against indices |
The big difference vs Elasticsearch: in OpenSearch, all of this is Apache 2.0 and ships in the default distribution. Elasticsearch's equivalents (X-Pack security, Watcher, ML) are split between free and subscription tiers under the Elastic License.
OpenSearch Architecture
The architecture is the same as Elasticsearch, which is the same as it was in 2021:
- Cluster: a set of nodes that work together.
- Node: a single OpenSearch process. Nodes have roles (data, master/cluster-manager, ingest, coordinating, ml, search) - see node types explained.
- Index: a logical grouping of documents.
- Shard: a Lucene index. Each OpenSearch index is split into one or more primary shards, each replicated.
- Document: a JSON object stored in an index.
A typical production setup runs 3+ cluster-manager-eligible nodes for quorum, several data nodes, and optional coordinator-only or ingest-only nodes for separation of concerns.
Cluster
├── Cluster-manager nodes (3+) - metadata and coordination
├── Data nodes (N) - shards and queries
├── Ingest nodes (optional) - preprocessing pipelines
└── Coordinator nodes (optional) - query routing without storing data
For sizing guidance, see OpenSearch cluster architecture and sizing.
What OpenSearch is Used For
OpenSearch is a general-purpose search and analytics engine. The five canonical use cases:
1. Application search
Search UI for products, content, users, documents. The Lucene engine is excellent at relevance scoring, faceting, autocomplete, and fuzzy matching.
2. Log analytics and observability
A drop-in destination for application and infrastructure logs - paired with OpenSearch Dashboards, this is the most common deployment shape. Used to be the "ELK stack" (Elasticsearch, Logstash, Kibana); the OpenSearch equivalent is the OpenSearch Observability suite.
3. Security analytics (SIEM)
The Security Analytics plugin lets OpenSearch ingest security signals, run detection rules, and visualize incidents. Comparable to Elastic's SIEM features but Apache 2.0 licensed.
4. Time-series and metrics
OpenSearch handles time-series workloads through index rollover, ISM (index state management) policies, and queries optimized for time ranges. Good for moderate-volume metrics, less so for high-cardinality metrics where dedicated TSDBs (Prometheus, ClickHouse) do better.
5. Vector search and AI applications
The k-NN plugin and Neural Search make OpenSearch a strong vector database choice for retrieval-augmented generation (RAG), semantic search, and hybrid (keyword + vector) retrieval. See OpenSearch hybrid search guide.
OpenSearch vs Elasticsearch
They started identical and have drifted. A condensed comparison (full version at OpenSearch vs Elasticsearch):
| Dimension | OpenSearch | Elasticsearch |
|---|---|---|
| License | Apache 2.0 (all features) | Elastic License v2 + SSPL + AGPL (since 2024) |
| Governance | OpenSearch Software Foundation (Linux Foundation) | Elastic NV |
| Security | Built-in, free, full features | Free tier limited; X-Pack subscription for SSO, RBAC, audit |
| Managed services | AWS OpenSearch Service, Aiven, Bonsai, others | Elastic Cloud, third parties |
| Vector search | k-NN plugin, multiple engines | _search with vectors, Lucene/Elasticsearch native |
| ML / AI features | Apache 2.0, in default distribution | Mix of free and paid |
| Code base | Forked from 7.10, evolved separately | Maintained by Elastic |
| API compatibility | Mostly Elasticsearch 7.x compatible; Elasticsearch 8.x and 9.x APIs diverged | Elasticsearch 9.x is the current major |
The pragmatic choice: if you want free, all-features-included, and a non-vendor governance model, OpenSearch. If you want the latest Elastic-built features (ES|QL, the newer security analytics offerings, integrations with the Elastic Stack), Elasticsearch.
Deployment Options
Common ways to run OpenSearch:
- Amazon OpenSearch Service - AWS's managed offering, the largest by deployment count. See what is Amazon OpenSearch Service.
- Aiven for OpenSearch, Bonsai, Instaclustr, etc. - other managed providers.
- Self-hosted on VMs - the standard install, tarball or RPM/DEB packages.
- Kubernetes - via the OpenSearch Helm chart or Kubernetes operator.
- Docker - the official images for development and lightweight production.
For migration guidance from Elasticsearch, see OpenSearch migration guide.
Common Mistakes
- Treating OpenSearch as a drop-in for Elasticsearch 8/9. The fork happened at 7.10. Many newer Elasticsearch features (ES|QL, parts of the search APIs, some ILM extensions) aren't in OpenSearch, and OpenSearch has its own additions (Notifications plugin, Security Analytics, PPL) that aren't in Elasticsearch.
- Ignoring shard sizing. Like Elasticsearch, OpenSearch performance is dominated by shard count and size. The classic guidance still applies: target 20-50 GB per shard, avoid thousands of tiny shards. See OpenSearch sharding strategy.
- Skipping ISM policies for logs. Without index state management, indices grow without bound. Set up rollover and retention from day one.
- Running with default heap. The default 1 GB heap is fine for development, miserable for production. Half of system RAM, up to 32 GB, is the typical recommendation - same as Elasticsearch.
- Mixing Elasticsearch and OpenSearch clients indiscriminately. Elasticsearch 8.x+ clients explicitly reject OpenSearch connections via a version check. Use the OpenSearch clients (
opensearch-py,opensearch-java, etc.) for OpenSearch, or compatible-mode Elasticsearch 7.x clients.
Monitoring OpenSearch
Cluster health metrics to watch:
- Cluster status: green / yellow / red - red is always a problem.
- JVM heap usage: sustained >75% leads to GC pressure and slow queries.
- Shard count per node and total cluster: shard explosion is the most common cause of cluster instability.
- Query and indexing latency at p95/p99.
- Pending tasks: queued cluster state updates; growing means the cluster-manager is overloaded.
- Disk watermarks: cluster routes around full nodes; once flood-stage hits, indices go read-only.
Pulse provides AI-powered monitoring for OpenSearch, Elasticsearch, Kafka, and ClickHouse, with proactive analysis of shard distribution, heap pressure, slow queries, and ISM policy effectiveness. Start a free trial to see what it surfaces on your clusters.
Frequently Asked Questions
Q: Is OpenSearch the same as Elasticsearch?
A: They started identical - OpenSearch is a fork of Elasticsearch 7.10 - but have diverged since 2021. Core features are similar; newer features differ. License and governance differ entirely: OpenSearch is Apache 2.0 under the Linux Foundation; Elasticsearch is dual-licensed under Elastic NV.
Q: Is OpenSearch free?
A: Yes. All features, including security, alerting, ML, and vector search, are Apache 2.0 and free to use commercially. Managed services (AWS OpenSearch Service, Aiven, etc.) charge for the hosting, not the software.
Q: Who owns OpenSearch?
A: Since September 2024, the OpenSearch Software Foundation, part of the Linux Foundation. AWS contributed the project to a vendor-neutral foundation. Premier members include AWS, SAP, and Uber, with general members from Aiven, Atlassian, Canonical, DigitalOcean, and others.
Q: Can I migrate from Elasticsearch to OpenSearch?
A: Yes. Migration from Elasticsearch 6.x-7.10 is straightforward (snapshot/restore or reindex). Migration from Elasticsearch 7.11+ is more involved because indices created by post-fork versions aren't compatible. See the OpenSearch migration guide.
Q: Does OpenSearch support vector search?
A: Yes, via the built-in k-NN plugin. It supports HNSW, IVF, and Lucene-based indexing with Faiss as a backend option. The Neural Search plugin adds high-level APIs for semantic search and hybrid retrieval. See OpenSearch hybrid search guide.
Q: Is OpenSearch a database?
A: It can be used as a primary data store for some workloads (logs, search indices, document stores) but isn't a general-purpose transactional database. It's eventually consistent and doesn't support transactions across documents. The same caveats apply as for Elasticsearch - see Is Elasticsearch a database.
Q: What's the difference between OpenSearch and Amazon OpenSearch Service?
A: OpenSearch is the open source software. Amazon OpenSearch Service is AWS's managed offering that runs OpenSearch on AWS infrastructure with automation for provisioning, upgrades, backups, and monitoring. You can also run open source OpenSearch yourself or use other managed providers.
