.opendistro-anomaly-results-history number of replicas
53 views
Skip to first unread message
j885...@gmail.com
Nov 24, 2025, 5:19:09 AM (8 days ago) Nov 24
to Wazuh | Mailing List
Hello!
I noticed that cluster status is yellow and found 2 unassigned indices:
.opendistro-anomaly-checkpoints and .opendistro-anomaly-results-history-2025.11.20-1
I believe the issue is that the number of replicas is set to 1 but we have all-in-one installation.
How to reduce the number of replicas for the indices? I tried to do it manually for .opendistro-anomaly-results-history-2025.11.20-1 but I lacked permissions for some reason.
Awwal Ishiaku
Nov 24, 2025, 6:26:24 AM (8 days ago) Nov 24
to Wazuh | Mailing List
I suspect this is because the index is configured to have a replica on a single node deployment.
For further analysis, share the output of the following command for confirmation:
curl -k -u admin:YOUR_PASSWORD "https://localhost:9200/_cat/indices?v"
For further analysis, share the output of the following command for confirmation:
curl -k -u admin:YOUR_PASSWORD "https://localhost:9200/_cat/indices?v"
Or run the following command via the Wazuh dashboard in the indexer dev tools page:
GET /_cat/indices?v
GET /_cat/indices?v
As for the permissions, what user account or method are you using to reduce the number of replicas?
The dev tools page on the dashboard may be useful. This is if you are logged in as the admin user
j885...@gmail.com
Nov 25, 2025, 2:25:29 AM (8 days ago) Nov 25
to Wazuh | Mailing List
See attached outputs for GET /_cat/shards?v and GET _cat/indices/?v. The Unassigned indices are visible in the shards file.
I tried to reduce the number of replicas in two ways (being admin):
1) Command:
PUT /.opendistro-anomaly-results-history-*/_settings
{
"index": {
"number_of_replicas": 0
}
}
2) Manually in the index settings via Index Management section in Wazuh.
{
"index": {
"number_of_replicas": 0
}
}
2) Manually in the index settings via Index Management section in Wazuh.
Both ended with permission failure.
j885...@gmail.com
Nov 28, 2025, 1:49:11 AM (5 days ago) Nov 28
to Wazuh | Mailing List
Kind reminder about this issue.
Awwal Ishiaku
2:31 AM (13 hours ago) 2:31 AM
to Wazuh | Mailing List
It's a system index, so you can't modify directly from the dashboard.
Run the following command on the indexer server to change the number of replicas:
sudo curl --insecure \
--cert /etc/wazuh-indexer/certs/admin.pem \
--key /etc/wazuh-indexer/certs/admin-key.pem \
-X PUT "https://127.0.0.1:9200/.opendistro-anomaly-results-history-*/_settings" \
-H 'Content-Type: application/json' \
-d '{
"index": {
"number_of_replicas": 0
}
}'
sudo curl --insecure \
--cert /etc/wazuh-indexer/certs/admin.pem \
--key /etc/wazuh-indexer/certs/admin-key.pem \
-X PUT "https://127.0.0.1:9200/.opendistro-anomaly-results-history-*/_settings" \
-H 'Content-Type: application/json' \
-d '{
"index": {
"number_of_replicas": 0
}
}'
Reply all
Reply to author
Forward
0 new messages