Maximum number of shards almost reached
236 views
Skip to first unread message
Cristian Radu
Jan 18, 2023, 11:39:51 AM1/18/23
to Wazuh mailing list
Hello,
How can I found out the maximum number of shards defined? I know the default value is 1000.
I have now 995 shards, created retention policies, but so far nothing deleted. I increased the limit to 1200 for now. (using this command from this post https://groups.google.com/g/wazuh/c/DEtJC15Stqk)
GET /_cluster/settings?flat_settings
{
"persistent" : {
"cluster.max_shards_per_node" : "1200",
"opendistro.index_state_management.history.number_of_replicas" : "0"
},
"transient" : { }
}
"persistent" : {
"cluster.max_shards_per_node" : "1200",
"opendistro.index_state_management.history.number_of_replicas" : "0"
},
"transient" : { }
}
I noticed that indices have 3 shards each. How can I change them to have only 1 shard per index?
Thanks,
Cristian
Tomas Turina
Jan 18, 2023, 6:48:58 PM1/18/23
to Cristian Radu, Wazuh mailing list
Hi Cristian,
To get the maximum number of shards defined, you can run the same endpoint you used with the parameter include_defaults:
GET /_cluster/settings?include_defaults=true
About the shards per index, it is recommended to set them to 1. To do it please go to the file /etc/filebeat/wazuh-template.json and change the value of index.number_of_shards (by default it has to be 3) to 1.
I hope this information helps you.
To get the maximum number of shards defined, you can run the same endpoint you used with the parameter include_defaults:
GET /_cluster/settings?include_defaults=true
About the shards per index, it is recommended to set them to 1. To do it please go to the file /etc/filebeat/wazuh-template.json and change the value of index.number_of_shards (by default it has to be 3) to 1.
I hope this information helps you.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e53b8523-c730-4b08-8b75-6ee8f4d2506cn%40googlegroups.com.
Cristian Radu
Feb 2, 2023, 9:51:00 AM2/2/23
to Wazuh mailing list
Hi Tomas,
I did the change and I still see 3 shards. I restarted the wazuh-indexer after the change.
cat /etc/filebeat/wazuh-template.json | grep shards
"index.number_of_shards": "1",
"index.number_of_shards": "1",
wazuh-archives-4.x-2023.02.01 1 p STARTED 413620 619.4mb 10.1.220.178 node-1
wazuh-archives-4.x-2023.02.01 2 p STARTED 413786 614.2mb 10.1.220.178 node-1
wazuh-archives-4.x-2023.02.01 0 p STARTED 414821 616.9mb 10.1.220.178 node-1
100 109k 100 109k 0 0 119k 0 --:--:-- --:--:-- --:--:-- 119k
wazuh-archives-4.x-2023.02.02 1 p STARTED 259625 458.7mb 10.1.220.178 node-1
wazuh-archives-4.x-2023.02.02 2 p STARTED 259824 593.1mb 10.1.220.178 node-1
wazuh-archives-4.x-2023.02.02 0 p STARTED 259456 441.8mb 10.1.220.178 node-1
.opendistro-ism-managed-index-history-2023.02.01-000091 0 p STARTED 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.01 1 p STARTED 110214 111.1mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.01 2 p STARTED 109833 111.5mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.01 0 p STARTED 110159 113.6mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.02 1 p STARTED 68414 74.1mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.02 2 p STARTED 68439 71mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.02 0 p STARTED 69111 70.6mb 10.1.220.178 node-1
wazuh-archives-4.x-2023.02.01 2 p STARTED 413786 614.2mb 10.1.220.178 node-1
wazuh-archives-4.x-2023.02.01 0 p STARTED 414821 616.9mb 10.1.220.178 node-1
100 109k 100 109k 0 0 119k 0 --:--:-- --:--:-- --:--:-- 119k
wazuh-archives-4.x-2023.02.02 1 p STARTED 259625 458.7mb 10.1.220.178 node-1
wazuh-archives-4.x-2023.02.02 2 p STARTED 259824 593.1mb 10.1.220.178 node-1
wazuh-archives-4.x-2023.02.02 0 p STARTED 259456 441.8mb 10.1.220.178 node-1
.opendistro-ism-managed-index-history-2023.02.01-000091 0 p STARTED 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.01 1 p STARTED 110214 111.1mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.01 2 p STARTED 109833 111.5mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.01 0 p STARTED 110159 113.6mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.02 1 p STARTED 68414 74.1mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.02 2 p STARTED 68439 71mb 10.1.220.178 node-1
wazuh-alerts-4.x-2023.02.02 0 p STARTED 69111 70.6mb 10.1.220.178 node-1
Do I need to perform something else?
Thanks,
Cristian
Cristian Radu
Feb 16, 2023, 10:03:33 AM2/16/23
to Wazuh mailing list
Hi Tomas,
Any ideas on how to enable the index number of shards to 1? I am close to reaching my limit again. What do I need to do make my new limit active? I need to reindex everything? If so, how can I do that?
Thanks,
Cristian
Reply all
Reply to author
Forward
0 new messages