Cluster RED status and unassigned shards

37 views
Skip to first unread message

Isaac S.

unread,
Apr 18, 2026, 3:13:44 AM (9 days ago) Apr 18
to Wazuh | Mailing List
Hello Wazuh Team

I have a wazuh cluster with some nodes workers, a few days ago y lost a node and  the cluster change from GREEN to RED.

Then the lost node was recovered and recconected to the cluster but the cluster status continues on GREEN

=== INFO ===
- wazuh version: 4.14.1
- cluster health: RED
- all cluster nodes are connected
- "unassigned_shards": 227,
- "allocate_explanation": "cannot allocate because allocation is not permitted to any of the nodes",
- "explanation": """node does not cluster setting [cluster.routing.allocation.include] filters [_name:"node-11"]"""

Regards



hasitha.u...@wazuh.com

unread,
Apr 18, 2026, 5:10:21 AM (9 days ago) Apr 18
to Wazuh | Mailing List
Hi Isaac,

Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.

hasitha.u...@wazuh.com

unread,
Apr 18, 2026, 5:31:31 AM (9 days ago) Apr 18
to Wazuh | Mailing List

Hi Isaac,

node does not match cluster setting [cluster.routing.allocation.include] filters [_name:"node-11"]

That usually means the cluster is currently configured to allocate shards only to node-11. If that filter was added during troubleshooting or while the node was unavailable, OpenSearch can keep many shards unassigned until that setting is removed or corrected. A RED cluster means at least one primary shard is still unassigned. 

I would suggest checking the cluster routing settings first:
Navigate to Indexer management -> Dev tools
GET _cluster/settings?include_defaults=true&pretty

Please look for settings such as:

cluster.routing.allocation.include._name
cluster.routing.allocation.exclude._name
cluster.routing.allocation.require._name
cluster.routing.allocation.enable

If cluster.routing.allocation.include._name is set to node-11, and that is no longer intended, you can clear it with:

  1. PUT _cluster/settings
  2. {
  3.   "persistent": {
  4.     "cluster.routing.allocation.include._name": null
  5.   },
  6.   "transient": {
  7.     "cluster.routing.allocation.include._name": null
  8.   }
  9. }


After that, check the allocation explanation again and retry failed allocations if needed:

GET _cluster/allocation/explain?pretty

POST _cluster/reroute?retry_failed=true&pretty

Then share with me so I can review further.

Please share the output of:

  • GET /_cluster/settings?include_defaults=true
  • GET /_cluster/health?pretty
  • GET /_cat/shards?v
  • GET /_cluster/allocation/explain?pretty

and we can help review it further.

Isaac S.

unread,
Apr 20, 2026, 2:03:16 PM (7 days ago) Apr 20
to Wazuh | Mailing List
Hello Hasitha

I applied the next command and it works.

  1. PUT _cluster/settings
  2. {
  3.   "persistent": {
  4.     "cluster.routing.allocation.exclude._name": null
  5.   },
  6.   "transient": {
  7.     "cluster.routing.allocation.exclude._name": null
  8.   }
  9. }

Thank u 

hasitha.u...@wazuh.com

unread,
Apr 20, 2026, 11:39:54 PM (6 days ago) Apr 20
to Wazuh | Mailing List
Hi Isaac,

I am glad that your issue has been resolved!
Reply all
Reply to author
Forward
0 new messages