Hi, i have an nprobe probe what collect a flows from network and transport it to elastic cluster.
For testing purposes i have one elastic node with following hardware
o CPU: 8C
o RAM: 16GB
o HDD: 1T
This is my nprobe configuration
nprobe -b 1 -V 5 --collector-port 2055 -i eth0 -n none --elastic "flows;nprobe2-%Y.%m.%d;http://192.168.0.197:9200/_bulk"
When i exceeded more than 1k flow per seconds i get a
WARNING: [ES] Export queue too long [32768]: expect drops
and this is true, most of flows is really dropped.
When i re-direct output of nprobe to tcp port and try to receive it by netcat i see all of them nothing is missing, so it is definitely elastic search issue.
Strange is that CPU is almost all the time 80% idle, iowait is about 5% there is some RAM free also.
I set limits in my OS to
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
and set LimitMEMLOCK=infinity
also change
bootstrap.memory_lock: true
and
-Xms5g
-Xmx5g
But no luck .. I was trying to change setting of thread_pool in elasticsearch.yml to
thread_pool.bulk.size: 9
thread_pool.bulk.queue_size: 100
but it seems to have no effect at all
I’m using elastic search version 5.5.2, what I’m missing ? why it does not work ?