Recently I have started seeing the following errors when I do all kinds of different searches in Graylog. Most of the time shortening the time period I am searching fixes it. This is the error I get.
Error Message:
Unable to perform search query.
Details:
Search status code:
500
Search response:
cannot GET https://graylog.company.com:443/api/search/universal/relative?query=%28devname%3300D_Primary%20OR%20devname%3A300D_Secondary%29%20AND%20msg%3A%22SSL%20tunnel%20established%22&range=1209600&limit=150&sort=timestamp%3Adesc (500)
There are too many indexing and search requests for your Elasticsearch cluster.
Either increase the task queue sizes on all Elasticsearch nodes (which doesn’t really solve the problem) or make sure that the Elasticsearch cluster has enough resources to cope with the message throughput.
I am only bringing in around 150 messages a second so I don’t have a huge load on this system. I increased the core count from 6 to 10 but it still isn’t able to keep up.
How do I increase the search queue size on the appliance?
That’s not possible in the OVA. Manual changes to the configuration of Graylog, Elasticsearch, or MongoDB will be overwritten when running graylog-ctl reconfigure.
