Bulk item insert failed

zen.xen · December 6, 2016, 2:27pm

Hello,
I have a problem since last Sunday with my ELK. All Windows machines which are monitored can't send events to the ELK server, in winlogbeat log there is something like:

2016-12-06T15:18:03+01:00 INFO Bulk item insert failed (i=34, status=503): {"type":"unavailable_shards_exception","reason":"[winlogbeat-2016.12.04][0] primary shard is not active Timeout: [1m], request: [shard bulk {[winlogbeat-2016.12.04][0]}]"}
2016-12-06T15:18:03+01:00 INFO Bulk item insert failed (i=35, status=503): {"type":"unavailable_shards_exception","reason":"[winlogbeat-2016.12.04][0] primary shard is not active Timeout: [1m], request: [shard bulk {[winlogbeat-2016.12.04][0]}]"}
2016-12-06T15:18:03+01:00 INFO Error publishing events (retrying): temporary bulk send failure
2016-12-06T15:18:03+01:00 INFO send fail
2016-12-06T15:18:03+01:00 INFO backoff retry: 1m0s

Software which I use:
elasticsearch-2.2.1
kibana-4.4.1-windows
logstash-2.2.2
winlogbeat-1.1.2-windows

I wasn't able to find solution, maybe someone will help me with my problem.

danielmitterdorfer · December 6, 2016, 3:26pm

Hi @zen.xen,

the Beats log tells you that primary shards for the winlogbeat index is not available. I suggest you look at the Elasticsearch logs and the cluster health API. That should give you a clue what's going on.

Daniel

zen.xen · December 7, 2016, 8:49am

Hi,
status Cluster Health is red, it is only one machine with ELK software, maybe this will be usefull:

Active Primary Shards	1,215
Active Shards	        1,215
Initializing Shards	1
Unassigned Shards	1,236

Is it possible to manually create index that is not available?

system · January 4, 2017, 8:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.