How to fix ? index_not_found_exception
472 views
Skip to first unread message
Sławomir Sęk
Sep 19, 2023, 10:58:48 AM9/19/23
to mailing list Wazuh
ERROR Could not create wazuh-monitoring-2023.38w index on elasticsearch due to validation_exception
Sep 19, 2023 @ 16:45:00 ERROR index_not_found_exception
Sep 19, 2023 @ 16:45:00 ERROR index_not_found_exception
Natalia Castillo
Sep 19, 2023, 3:57:21 PM9/19/23
to Wazuh | Mailing List
Hi!
Thank you for using wazuh.
The error you are experiencing is usually due to elasticsearch shards having reached their limit. Elasticsearch has a limit of 1000 shards per node to avoid performance problems in the environment. You can either reduce the number of shards or increase the limit to solve the situation right now. I would recommend the former approach, as the latter will require more resources and may lead to performance issues.
If you want to reduce the number of shards, you need to delete old indices. You can do it from your web interface by opening the side bar, going to dev tools. You can have this guide as a reference: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/indices-delete-index.html
You also could automate the indice deletion with ILM/ISM policies to delete old indices after a period of time as explained in this post: https://wazuh.com/blog/wazuh-index-management.
On the other hand, if you want to increase the limit , you can do it by running this command on the Dev Tools:
PUT /_cluster/settings
{ "persistent" : {
"cluster.max_shards_per_node": "3000"
}
}
This will increase the max shards to 3000.
Hope this helps!
Regards
Thank you for using wazuh.
The error you are experiencing is usually due to elasticsearch shards having reached their limit. Elasticsearch has a limit of 1000 shards per node to avoid performance problems in the environment. You can either reduce the number of shards or increase the limit to solve the situation right now. I would recommend the former approach, as the latter will require more resources and may lead to performance issues.
If you want to reduce the number of shards, you need to delete old indices. You can do it from your web interface by opening the side bar, going to dev tools. You can have this guide as a reference: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/indices-delete-index.html
You also could automate the indice deletion with ILM/ISM policies to delete old indices after a period of time as explained in this post: https://wazuh.com/blog/wazuh-index-management.
On the other hand, if you want to increase the limit , you can do it by running this command on the Dev Tools:
PUT /_cluster/settings
{ "persistent" : {
"cluster.max_shards_per_node": "3000"
}
}
This will increase the max shards to 3000.
Hope this helps!
Regards
Reply all
Reply to author
Forward
0 new messages