Elasticsearch Cluster health is yellow

mshar039 · March 30, 2016, 11:08am

My elasticsearch cluster "graylog2" health status is showing yellow, but in web-interface it is showing green.

I could see the following lines in Graylog web-interface.

"1 indices with a total of 26 messages under management, current write-active index is graylog2_0.

Elasticsearch cluster is green. Shards: 1 active, 0 initializing, 0 relocating, 0 unassigned"

http://127.0.0.1:9200/_cluster/health?pretty=true
{
"cluster_name" : "graylog2",
"status" : "yellow",
"timed_out" : false,
"number_of_nodes" : 2,
"number_of_data_nodes" : 1,
"active_primary_shards" : 6,
"active_shards" : 6,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 5,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0
}

http://127.0.0.1:9200/_cat/indices?v
health status index pri rep docs.count docs.deleted store.size pri.store.size
yellow open logstash-2016.03.17 5 1 27 0 37.4kb 37.4kb
green open graylog2_0 1 0 26 0 24.7kb 24.7kb

Can anyone please answer some of my questions

why logstash index status is yellow even with a very little data in it?
why the elasticsearch cluster's health is yellow?
How to fix it.

magnusbaeck · March 30, 2016, 11:23am

You only have one data node and your logstash-2016.03.17 index has one replica. Those replica shards can never get allocated since primary and replica shards can't reside on the same node. You either need two data nodes or you need to reduce the number of replicas to zero.

mshar039 · March 30, 2016, 12:21pm

Thanks for the reply @magnusbaeck.
I tried reducing the number of replicas to zero using the setting in elasticsearch.yml.
index.number_of_replicas: 0 and restarted the elasticsearch service.

But still on checking the indices, logstash index is showing configured replica shards as 1.
How to tell logstash that the number of replica shards is 0 now?

Thanks

magnusbaeck · March 30, 2016, 12:25pm

The setting in elasticsearch.yml only affects the default number of replicas. It won't change the number of replicas that existing indexes have. You need to use the index settings update API.

mshar039 · April 4, 2016, 6:27am

Thanks for the help @magnusbaeck. Wanted to know one more thing..
In the graylog/server/server.conf, the settings for graylog node is as follows by default.

#we don't want the graylog2 server to store any data, or be master node
#elasticsearch_node_master = false
#elasticsearch_node_data = false

i.e. this node would not store any data in it.
So, how is it that graylog2_0 index has some documents in its shard?

Please help me!

magnusbaeck · April 4, 2016, 7:11am

I don't know anything about Graylog. Does it run its own ES node that's connected to your cluster? I'm assuming yes.

So, how is it that graylog2_0 index has some documents in its shard?

Whether the ES node that's part of Graylog stores any data has nothing to do with the presence of the graylog2_0 index or whether it contains any data.