maxClauseCount is set to 1024 error when running "Threat Intel Filebeat Module (v8.x) Indicator Match" rule

Rorb · May 30, 2022, 12:37am

Ended up solving this after finding a Github issue in the Elasticsearch repo:

The maximum number of clauses automatically gets set to 1024 when heap size is less than 1GB

opened 12:49PM - 25 Apr 22 UTC

>non-issue :Search/Search Team:Search

The code to compute the maximum number of clauses looks like this: ```java … public static int calculateMaxClauseValue(ThreadPool threadPool) { int searchThreadPoolSize = threadPool.info(ThreadPool.Names.SEARCH).getMax(); long heapSize = JvmStats.jvmStats().getMem().getHeapMax().getGb(); return calculateMaxClauseValue(searchThreadPoolSize, heapSize); } static int calculateMaxClauseValue(long threadPoolSize, double heapInGb) { if (threadPoolSize <= 0 || heapInGb <= 0) { return DEFAULT_MAX_CLAUSE_COUNT; } // In a worst-case scenario, each clause may end up using up to 16k of memory // to load postings, positions, offsets, impacts, etc. So we calculate the // maximum number of clauses we can support in a single thread pool by // dividing the heap by 16k (or the equivalent, multiplying the heap in GB by // 64k), and then divide that by the number of possible concurrent search // threads. int maxClauseCount = (int) (heapInGb * 65_536 / threadPoolSize); return Math.max(DEFAULT_MAX_CLAUSE_COUNT, maxClauseCount); } ``` @nkhristinin reported the following surprising behavior. Say you have 1 vCPU and 2 search threads, - If you have 1GB of heap to the JVM then `maxClauseCount` will be 32,768. - But if you give slightly less than 1GB to the heap, e.g. 1023MB, then `long heapSize` will be 0 because of the cast performed by the `getGB()` call, and `maxClauseCount` will be set to 1,024 because ef the `heapInGb <= 0` condition. It might not be a bad thing to be more careful with small heaps, but the code doesn't suggest that this behavior is intentional.

In the issue the author found that having a jvm heap size less that 1GB forced the maximum number of clauses to be set to the default of 1024, which is why even though my node settings said it was 4096, the system forced it to 1024 internally. This was in fact the case for my setup, even though I have assigned more than 1Gb of memory for the ES node the jvm is only assigned half of that.

I believe you can see your max jvm heap size by running: GET _nodes/settings in the dev console of kibana and looking at nodes.*.attributes.ml.max_jvm_size, it seems to be set to half of nodes.*.attributes.ml.machine_memory.

After assigning over 2Gb of memory and waiting for the ES nodes to update the rule ran with no problem.

Topic		Replies	Views
TooManyClauses[maxClauseCount is set to 1024] Elasticsearch	3	4085	July 6, 2017
Max_clause_count not being set in config file Elasticsearch	4	472	July 6, 2017
How do I get Elasticsearch max_clause_count to take effect? Elasticsearch	13	28517	July 5, 2017
Weird maxclausecount issue Elasticsearch	5	2026	July 5, 2017
maxClauseCount configuration Elasticsearch	2	461	July 6, 2017

maxClauseCount is set to 1024 error when running "Threat Intel Filebeat Module (v8.x) Indicator Match" rule

Related topics