Sorry for the lack of information here, but we have been experiencing massive cluster instability for the last week or so. We had upgraded to 1.5.2 last week and were stable for a full week before we started to have issues. It looked like the master node would lose connectivity with a data node, as we were seeing TimeOut exceptions in our logs. Restarting the node wouldn't fix this; when we powered the node off the cluster still thought it was joined. The only way to fix this was to completely stop every node in the cluster and restart the cluster. The Cluster would rebuild fine, and then this would happen again. Whenever it did, EVERY node would stop responding to REST API called. Any API call I would do that wasn't just 'localhost:9200' or 'localhost:9200/_cluster/health' would just hang and never respond (which also means no searching, plugins won't work, etc).
15861 for 11 nodes, looks like awefully a lot. you mentioned you reducing number of shards in the cluster, how much have you reduce (not sure shard can be alter after it is created) ? when you see timeout, did you check on timeout setting and alter accordingly?
By master node config, I meant the RAM/Processor. Anyways, for ur data we had similar master bottleneck when we had 36k shards, the master was 2 core 5 GB. We moved to 4 cores 28 GB and things ran smoothly for even more shards than what we wanted to support.
~15000 shards for 2TB of data is extremely excessive. Is that just your primary shard count? Because with number_of_replicas set to 2, you've actually got around 45000 shards. Keep in mind each shard is an Lucene process, which consumes resources on each node...
I'd suggest you drastically drop your number of shards. For 2TB of data, around 40 (primary) shards across all indices is probably much better.
No, that is ~15000 shards total; I have about ~5000 primary shards.
The reason we have so many shards is that we use logstash for all of our indexing, and that creates a new index a day.
So right now I am noticing that the /_nodes API can sometimes take forever to return a value. This is causing issues with Kibana, because it looks like KIbana is also making a call to the /_nodes API. I suspect that there is an issue with some threadpool somewhere, but for the life of me I can't figure out which one it is.
You can change the number of shards instead of using the default 5 shards.
Also, you can create an index per month instead of per day if your volume of docs per day is not that big.
So shard distribution with Elasticsearch I get a little confused on 'Best Practices'. The default number of primary shards is 5, so what are the pros and cons on changing the default number? Also, is the high number of shards causing my /_nodes /_search and /_msearch API calls to take a long time to return? Because right now basic searches are taking ~30 seconds to complete.
Optimally you want to only have exactly 1 shard per node per index if you can. So say you have 3 data nodes, then you want to only have 1 primary shard with 2 replicas. This will give you optimal performance.
sometimes having just 1 shard per node might not be ideal especially for machines with more than 1 core. a lot of things in Lucene happens sequentially especially how it processed segments. if data is spread (large data) into more than one shard, one ES query can result in multiple sub-queries (Lucene queries) and be handled in parallel... By more than 1 shard I mean some shards (single-digit number)
I still don't have an answer as to why /_nodes, /_cat, /_search, /_msearch, etc (but not /_cluster) sometimes take FOREVER to return any information (30 seconds to 90 seconds per query).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
