Changing the number of replicas does not works.

[fadi abusafat]

Hi. 

I am trying to change number of replicas in order to meet the configuration of Elasticsearch API but I got this error. 

Any idea how to fix. 

Thank you so much. 

[Elwali Karkoub]

Hello Fadi,

Changing the number of replicas will depend on the version being used, For 7.1.0 and greater version Filebeat is managing the template and it can be modified in the following file :

[root@localhost vagrant]# head !$
head /etc/filebeat/wazuh-template.json
{
  "order": 0,
  "index_patterns": ["wazuh-alerts-3.x-*"],
  "settings": {
    "index.refresh_interval": "5s",
    "index.number_of_shards": "1",
    "index.number_of_replicas": "0",
    "index.auto_expand_replicas": "0",
    "index.mapping.total_fields.limit": 2000
  },

In the case of using prior versions where the template is loaded directly to elasticsearch, Following are steps (Wazuh 3.8 and elasticsearch 6.5.4 in this example)  :

1. Download the correspendant template  :
   
   

   curl https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/elasticsearch/wazuh-elastic6-template-alerts.json -o w-elastic-template.json

   
   
   
2. Edit the template to set one replicas :
   
   
   
   

   # nano w-elastic-template.json
   {
     "order": 0,
     "template": "wazuh-alerts-3.x-*",
     "settings": {
       "index.refresh_interval": "5s",
       "number_of_shards" :   1,
       "number_of_replicas" : 0
     },
     "mappings": {
     "...": "..."
     }
   }

   
   
   
3. Load the template :
   
   

   # curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @w-elastic-template.json
   

   { "acknowledged" : true }
   

   
   
4. Confirm changes :
   
   

   curl "http://localhost:9200/_template/wazuh?pretty&filter_path=wazuh.settings"

   
   
   

Note that the change will take in place into the new created indices.

Hope it helps,

Best regards,
Wali