Fresh Install (3.3): Elasticsearch connection issues

A fresh install of version 3.3 on Ubuntu Server 20.04(via deb package). I have an input source configured that on the input page shows data flowing in. When I go to the “Show Received Messages” page the Message count widget and All Messages widget show the same error message:

While retrieving data for this widget, the following error(s) occurred:

Unable to perform search query: [query_string] query does not support [use_dis_max].

This is shown even when I set how far to go back and search for 8 hours or more.

I also get an error notification for a deflector error message:

Deflector exists as an index and is not an alias. (triggered 15 hours ago)

The deflector is meant to be an alias but exists as an index. Multiple failures of infrastructure can lead to this. Your messages are still indexed but searches and all maintenance tasks will fail or produce incorrect results. It is strongly recommend that you act as soon as possible.

Performing:
curl -XGET localhost:9200/_cat/shards?h=index,shard,prirep,state,unassigned.reason| grep UNASSIGNED

graylog_deflector 0 r UNASSIGNED INDEX_CREATED

Looking at the reason given :

“unassigned_info” : {

“reason” : “INDEX_CREATED”,

“at” : “2020-05-31T21:35:50.873Z”,

“last_allocation_status” : “no_attempt”

},

“can_allocate” : “no”,

“allocate_explanation” : “cannot allocate because allocation is not permitted to any of the nodes”,

“node_allocation_decisions” : [

I deleted my input source, stopped Elasticsearch, deleted all ES data, restarted ES, then created another input. As soon as the data came in, Cerebro showed a deflector created just as last time, and there was the same graylog message.

In addition, when I create a new index in graylog, it appears to not be created in ES (from what Cerebro is showing me).

Perhaps this is helpful, the graylog install instructions say to uncomment:
action.auto_create_index: false
in the elasticsearch.yml. I do not see that as an option in the 6.8 or the 7.7 version of elasticsearch.

Lastly, I do see input coming in the input stream, and I am seeing the size of the default index increasing. and the space used in my Elasticsearch data directory is increasing.

he @brohan

Graylog does work only with ES 6.8 - you need to ADD the line action.auto_create_index: false to the configuration.

This prevents Elasticsearch from creating indices in behalf of Graylog leading to this error.

1 Like

Stopping the graylog server, uninstalling ES, then reinstalling ES 6.8.9, updating the config (for IP used 0.0.0.0) starting ES, then restarting graylog has things up and running as expected. Thank you for your asistance.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.