Setting max_analyzed_offset permanently for an index

zaeemmasood · May 26, 2023, 7:55pm

Hi All,

We are using ELK stack 7.13.2

I came across an error while displaying an index in dashboard as follows:

The length [2134324] of field [additionalInfo] in doc[100496]/index[370844-2023.05.24] exceeds the [index.highlight.max_analyzed_offset] limit [1000000]. To avoid this error, set the query parameter [max_analyzed_offset] to a value less than index setting [1000000] and this will tolerate long field values by truncating them.

The field "additionalinfo" did have large number of characters.

I went ahead and bumped up the setting for the index as follows:

PUT /370844-2023*/_settings
{
  "index" : {
    "highlight.max_analyzed_offset" : 3000000
  }
}

Note that I used an asterisk so that the setting gets applied on all the indices.

This fixed the issue and indices started appearing without a problem. I understand that this is heavy on system resources.

Issue is that the new indices (they roll over date wise) being created do not seem to inherit the setting of 300000.

Please guide on how to make a permanent change to the index which would be applicable to all the indices getting created in future.

Thanks

zaeemmasood · May 28, 2023, 5:36pm

Created an index template which should take care of indices created in future.

PUT /_index_template/template_370844
{
  "index_patterns" : ["370844-2023*"],
  "priority" : 1,
  "template": {
    "settings" : {
      "highlight.max_analyzed_offset" : 3000000
    }
  }
}

warkolm · May 29, 2023, 7:48am

Please note that version is EOL and no longer supported, you should be looking to upgrade as a matter of urgency.

system · June 26, 2023, 7:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.