ERROR: this cluster currently has [999]/[1000] maximum shards open

3,325 views
Skip to first unread message

mauro....@cmcc.it

unread,
Oct 5, 2021, 5:35:04 AM10/5/21
to Wazuh mailing list

Dear Users,

since the Wazuh (v.4.1) maximum shard open has been reached, I would like to create an ILM policy similar to the policy mentioned in this blog page:

https://wazuh.com/blog/wazuh-index-management/

I tried to create the suggested policy, but when I click on the "create" button I receive this error:

"Sorry, there was an error

[validation_exception] Validation Failed: 1: this action would add [2] total shards, but this cluster currently has [999]/[1000] maximum shards open;"

So, I'm in a loop. Could you please help me to start deleting the index older than 60 days?

Thank you in advance,
Mauro

Juan Carlos

unread,
Oct 5, 2021, 7:07:52 AM10/5/21
to Wazuh mailing list
Hi Mauro,
To exit this loop you can delete old indices manually via the Elasticsearch API, this can be conveniently accessed via the web interface by going to left-most menu and selecting Dev Tools under Management.
For example to delete old alert indices you may use:
DevTools.png
You may also manually delete wazuh-monitoring and wazuh-statistics indices. By deleting a few you should be able to configure your ILM policy.

Let me know if you have any other questions.
Best Regards,
Juan Carlos Tello

mauro....@cmcc.it

unread,
Oct 5, 2021, 10:28:05 AM10/5/21
to Wazuh mailing list
Hi Juan,

many many thanks for your help.
You solved my issue :)

Have a great day.
Mauro
Reply all
Reply to author
Forward
0 new messages