Increase index.max_result_window

Justmfree · August 16, 2020, 1:32pm

how can i increase index.max_result_window in graylog ? (3.3.4)
is there any command or place from where i can change limit ?

While retrieving data for this widget, the following error(s) occurred:

Elasticsearch limits the search result to 10000 messages. With a page size of 150 messages, you can use the first 66 pages. Search type returned error: Result window is too large, from + size must be less than or equal to: [10000] but was [23250]. See the scroll api for a more efficient way to request large data sets. This limit can be set by changing the [index.max_result_window] index level setting.

makarands · August 17, 2020, 11:09am

@Justmfree I am happy to share you below Graylog FAQ documentation link which might help you to increase index.max_result_window value.

https://docs.graylog.org/en/3.3/pages/faq.html#i-cannot-go-past-page-66-in-search-results

Hope this helps you!

Justmfree · August 18, 2020, 9:06am

thanks i know this link… but there is no detail technical procedures how to increase

makarands · August 18, 2020, 11:16am

@Justmfree You can configure index.max_result_window setting in your Elasticsearch cluster configuration i.e. /etc/elasticsearch/elasticsearch.yml. As you know that after taking an effect of new configuration you need to restart ES service.

I hope this clear your query.

Justmfree · August 18, 2020, 11:49am

i tried but when i restart elasticsearch crashes. i guess this is not correct place because it is dynamic setting.? [
@makarands

makarands · August 19, 2020, 12:18pm

@Justmfree Yes, you are right. The max_result_window is a dynamic index level setting, not node specific. The default is 10,000, so if that’s the value you’d like to set, there should be no need.

You can adjust it by updating either a specific index settings or globally across all existing indices:

PUT _settings
{
  "index.max_result_window": 11000
}

Else, you can take look at below ES guide link for more information.

https://www.elastic.co/guide/en/elasticsearch/reference/2.4/cluster-update-settings.html#cluster-update-settings

Justmfree · August 19, 2020, 1:08pm

where from i can set this command ?
PUT _settings { “index.max_result_window”: 11000 }
@makarands makarand

frantz · August 31, 2020, 9:16am

On your Elastic server:
curl -XPUT -H 'Content-Type: application/json' -d '{"persistent": {"index.max_result_window": 11000 }}' 'http://127.0.0.1:9200/_cluster/settings'

Justmfree · August 31, 2020, 1:49pm

tried but returned error:
{“error”:{“root_cause”:[{“type”:“illegal_argument_exception”,“reason”:“persistent setting [index.max_result_window], not recognized”}],“type”:“illegal_argument_exception”,“reason”:“persistent setting [index.max_result_window], not recognized”},“status”:400}

frantz · August 31, 2020, 4:07pm

Try:
curl -XPUT -H 'Content-Type: application/json' -d '{"index": {"max_result_window": 20000 }}' 'http://127.0.0.1:9200/graylog_0/_settings'

This is only for the index graylog_0, you need to apply it on all the indexes you need.

If it doesn’t work, what is the version of ES ?

Justmfree · August 31, 2020, 6:14pm

thanks @frantz it worked, may i ask ? how can i setup to apply this setting for future indexes as well automatically ?

ES version:

“name” : “AwMlPpn”,
“cluster_name” : “graylog”,
“cluster_uuid” : “u–dEU0MTQyfO4igsFCjGQ”,
“version” : {
“number” : “6.8.9”,
“build_flavor” : “oss”,
“build_type” : “rpm”,
“build_hash” : “be2c7bf”,
“build_date” : “2020-05-04T17:00:34.323820Z”,
“build_snapshot” : false,
“lucene_version” : “7.7.3”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”

frantz · September 1, 2020, 8:14am

To update this setting on all existing indexes just do the same query on the URL http://127.0.0.1:9200/_settings

To apply it on all future indexes you need to create a template:
curl -XPUT -H 'Content-Type: application/json' -d '{"index_patterns": ["graylog_*"], "settings": {"index.max_result_window": 20000}}' 'http://127.0.0.1:9200/_template/template_1'

More info on https://stackoverflow.com/questions/55594386/where-should-i-configure-max-result-window-index-setting

Justmfree · September 1, 2020, 9:55am

thanks @frantz

i apply this:
curl -XPUT -H ‘Content-Type: application/json’ -d ‘{“index_patterns”: [“graylog_*”], “settings”: {“index.max_result_window”: 20000}}’ ‘http://127.0.0.1:9200/_template/template_1’

than i will look how it will works , thank you very much.

system · September 15, 2020, 9:55am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Increase index.max_result_window Graylog 3.3.1 Graylog Central (peer support)	4	1695	July 9, 2020
10000 messages Elasticsearch limits in Graylog Graylog Central (peer support)	11	2650	January 4, 2021
Max_result_window increase Graylog 4.0.5+d95b909 Graylog Central (peer support)	17	3395	April 27, 2021
Configure index.max_result_window Graylog Central (peer support)	7	4342	March 26, 2019
Elastic search max_result_window setting limitation Graylog Central (peer support)	1	252	June 6, 2023

Increase index.max_result_window

Related topics