Hi,
All my indicies from filebeat and winlogbeat have yellow status on Kibana monitoring.
I have some shards on Unassigned Shards.
What does it means that and how i can fix it?
Best Regards,
Thanos
As long as your using Elasticsearch 5 or higher you can use the Cluster Allocation Explain API, check the doc here. Its a great tool to see exactly what is going on with your shards. Feel free to post your results. Also, how many nodes do you have and what is your primary/replica shard settings?
i got this
[root@atdevxhv03 ~]# curl -XGET localhost:9200/_cat/shards?h=index,shard,prirep,state,unassigned.reason| grep UNASSIGNED
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2098 100 2098 0 0 51606 0 --:--:-- --:--:-- --:--:-- 52450
filebeat-2018.06.26 1 r UNASSIGNED INDEX_CREATED
filebeat-2018.06.26 3 r UNASSIGNED INDEX_CREATED
filebeat-2018.06.26 4 r UNASSIGNED INDEX_CREATED
filebeat-2018.06.26 2 r UNASSIGNED INDEX_CREATED
filebeat-2018.06.26 0 r UNASSIGNED INDEX_CREATED
winlogbeat-2018.06.26 1 r UNASSIGNED INDEX_CREATED
winlogbeat-2018.06.26 3 r UNASSIGNED INDEX_CREATED
winlogbeat-2018.06.26 4 r UNASSIGNED INDEX_CREATED
winlogbeat-2018.06.26 2 r UNASSIGNED INDEX_CREATED
winlogbeat-2018.06.26 0 r UNASSIGNED INDEX_CREATED
[root@atdevxhv03 ~]# • curl -XGET localhost:9200/_cluster/allocation/explain?pretty
-bash: •: command not found
[root@atdevxhv03 ~]# curl -XGET localhost:9200/_cluster/allocation/explain?pretty
{
"index" : "filebeat-2018.06.26",
"shard" : 1,
"primary" : false,
"current_state" : "unassigned",
"unassigned_info" : {
"reason" : "INDEX_CREATED",
"at" : "2018-06-26T08:41:04.932Z",
"last_allocation_status" : "no_attempt"
},
"can_allocate" : "no",
"allocate_explanation" : "cannot allocate because allocation is not permitted to any of the nodes",
"node_allocation_decisions" : [
{
"node_id" : "JsMY-JVeSHSuu2vWZcmWdg",
"node_name" : "JsMY-JV",
"transport_address" : "127.0.0.1:9300",
"node_attributes" : {
"ml.machine_memory" : "16655601664",
"xpack.installed" : "true",
"ml.max_open_jobs" : "20",
"ml.enabled" : "true"
},
"node_decision" : "no",
"weight_ranking" : 1,
"deciders" : [
{
"decider" : "same_shard",
"decision" : "NO",
"explanation" : "the shard cannot be allocated to the same node on which a copy of the shard already exists [[filebeat-2018.06.26][1], node[JsMY-JVeSHSuu2vWZcmWdg], [P], s[STARTED], a[id=xhqnfkFIQHGNzAmm8jOX5g]]"
}
]
}
]
}
Thanks for running that API. Some of the important parts of the output i'll go over.
"primary" : false,
Here we know we are dealing with a replica shard
"explanation" : "the shard cannot be allocated to the same node on which a copy of the shard already exists
And here we get our explanation, the replica shard cannot be allocated to the same node as the primary shard. Primary and replica shards need to be dispersed on different nodes. If there are not enough nodes then the replica shards cannot be allocated to a node and you will have yellow status. Commonly this occurs if you have 1 node full of primaries and no other node for the replicas to allocate to.
If you provide the details of your cluster settings and shard settings we could see the reasoning.
How i can provide the details of my cluster?
I just installed elasticsearch - logstash and kibana on a centos 7 linux and then i have configured some linux clients using filebeat to send the logs to the ELK centos 7 server.
That's my infrastructure.
Best Regards,
Thanos
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.