Cluster currently has [1000]/[1000] maximum normal shards open

diselkgd7 · March 6, 2024, 10:42am

I have what is like a Newbee question, I hope it makes sense how I explain it.

I noticed that logs are not being ingested by my 1 node cluster and logstash complains about the maximum normal shards open - can you help me identify what I am doing wrong please.

The output I have configured for logstash is directing the logs to this index

index => "vmware_esxi-%{+YYYY.MM.dd}"

and I can see in kibana that the indices are being created and kept open

what I've setup in terms of indexes is this:
index template with Index pattern "vmware_esxi-*"

{
  "index": {
    "lifecycle": {
      "name": "pci_1y"
    },
    "number_of_shards": "1",
    "number_of_replicas": "1"
  }
}

the index for yesterday is about 25.71gb and "GET /vmware_esxi-2024.03.05" is

{
  "vmware_esxi-2024.03.05": {
    "aliases": {},
    "mappings": {
      "properties": {
...
      }
    },
    "settings": {
      "index": {
        "routing": {
          "allocation": {
            "include": {
              "_tier_preference": "data_content"
            }
          }
        },
        "number_of_shards": "1",
        "provided_name": "vmware_esxi-2024.03.05",
        "creation_date": "1709596800288",
        "number_of_replicas": "1",
        "uuid": "d1J6jTidS2Sp-FsycSKTCw",
        "version": {
          "created": "8060299"
        }
      }
    }
  }
}

the ilm policy is this (obtained via "GET _ilm/policy/pci_1y") - if it says "indices": does that mean this is not applying to any indices?

{
  "pci_1y": {
    "policy": {
      "phases": {
        "warm": {
          "min_age": "30d",
          "actions": {
            "set_priority": {
              "priority": 50
            }
          }
        },
        "cold": {
          "min_age": "90d",
          "actions": {
            "set_priority": {
              "priority": 0
            }
          }
        },
        "hot": {
          "min_age": "0ms",
          "actions": {
            "set_priority": {
              "priority": 100
            },
            "rollover": {
              "max_primary_shard_size": "50gb",
              "max_age": "30d"
            }
          }
        },
        "delete": {
          "min_age": "365d",
          "actions": {
            "delete": {
              "delete_searchable_snapshot": true
            }
          }
        }
      }
    },
    "in_use_by": {
      "indices": [],
      "data_streams": [],
      "composable_templates": [
        "vmware_esxi"
      ]
    }
  }
}

dadoonet · March 6, 2024, 12:20pm

What is the output of:

GET /
GET /_cat/nodes?v
GET /_cat/health?v
GET /_cat/indices?v

If some outputs are too big, please share them on gist.github.com and link them here.

diselkgd7 · March 6, 2024, 10:40pm

Thanks, this is the output requested:

GET /

{
  "name": "pnl0000vspr4306",
  "cluster_name": "elasticsearch",
  "cluster_uuid": "ejYdH5t2QqWZ3hkF0hIquQ",
  "version": {
    "number": "8.6.2",
    "build_flavor": "default",
    "build_type": "rpm",
    "build_hash": "2d58d0f136141f03239816a4e360a8d17b6d8f29",
    "build_date": "2023-02-13T09:35:20.314882762Z",
    "build_snapshot": false,
    "lucene_version": "9.4.2",
    "minimum_wire_compatibility_version": "7.17.0",
    "minimum_index_compatibility_version": "7.0.0"
  },
  "tagline": "You Know, for Search"
}

GET /_cat/nodes?v

ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
10.6.11.104           64          97  70    7.85    6.91     6.17 cdfhilmrstw *      pnl0000vspr4306

GET /_cat/health?v

epoch      timestamp cluster       status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1709764255 22:30:55  elasticsearch yellow          1         1    530 530    0    0      431             0                  -                 55.2%

GET /_cat/indices?v

gist.github.com

https://gist.github.com/ppgdghacc/4700ddb2367ab250d3b560a7f4e88dc1

elk_indices

health status index                                                             uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   .ds-metricbeat-8.6.2-2023.10.26-000006                            mJTf0PtlTQmd1tb95LDIEg   1   1    1841652            0    174.9mb        174.9mb
yellow open   .ds-metrics-vsphere.datastore-default-2023.04.20-000002           iw7Cn3IoS8ejVWqMsc5D5Q   1   1          0            0       225b           225b
yellow open   .ds-filebeat-8.6.2-2023.11.25-000007                              iytOTFoQTpefo_efarRFUA   1   1   84636063            0     27.2gb         27.2gb
green  open   vmware_vcsa-2024.03.04                                            Zsm45zr4SsK9t90mGRX6eA   1   0     266759            0       90mb           90mb
green  open   vmware_vcsa-2024.03.05                                            9LCTh0_9RN-J0sQFaPyLcw   1   0    6954808            0      2.2gb          2.2gb
green  open   vmware_vcsa-2024.03.06                                            sJSSBuFqSAKB0iOyEIQZ_Q   1   0    3858924            0      1.2gb          1.2gb
green  open   .elastic-connectors-sync-jobs-v1                                  2YvPVdQ0RN2V5dzkZrXjqg   1   0          0            0       225b           225b
yellow open   .ds-metricbeat-8.6.2-2024.03.04-000010                            uwsU_bx1T2ubd_p85W66aA   1   1     155214            0     19.2mb         19.2mb
green  open   vmware_vcsa-2023.09.30                                            VcaszYriSl6UTXCyATncCw   1   0    6775454            0      2.1gb          2.1gb

This file has been truncated. show original

dadoonet · March 15, 2024, 8:53pm

Thanks.

Could you share the logstash logs?

Christian_Dahlqvist · March 16, 2024, 9:38am

If you have a single node cluster you can not have any replicas. You therefore need to set this to 0 in your template and also change the number of replicas to 0 for all existing indices using the update index settings API. Even though Elasticsearch can never allocate these replica shards, they still count towards the maximum number of shards.

diselkgd7:

"hot": {
          "min_age": "0ms",
          "actions": {
            "set_priority": {
              "priority": 100
            },
            "rollover": {
              "max_primary_shard_size": "50gb",
              "max_age": "30d"
            }
          }

The index pattern you have configured indicates that you are not using rollover, but you still have rollover configured in your ILM policy. I think you need to fix this as I do not see how this policy could be working.

dadoonet · March 16, 2024, 9:51am

Things I learned!
I was not expecting that but this makes sense.

system · April 13, 2024, 9:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
.ds-logstash shards remain Elasticsearch ilm-index-lifecycle-management	4	232	November 21, 2022
Elastic agent indices - ILM Elastic Agent	6	191	October 11, 2023
Guidance on increasing cluster.max_shards_per_node Elasticsearch	9	1385	August 13, 2020
Elastic cloud kills itself with logs Elastic Cloud Enterprise (ECE)	3	119	May 30, 2024
Strange index size Elasticsearch ilm-index-lifecycle-management , datastreams	15	2864	February 22, 2021

Cluster currently has [1000]/[1000] maximum normal shards open

Related Topics