Index file failures

jgiovann · November 11, 2019, 12:13am

Hi,

I’m an running Greylog 3.0.2 as an appliance. In the last few days I noticed there are no messages that are being captured as a result of index failures.

The error messages are:

There were 203,523 failed indexing attempts in the last 24 hours.

|a few seconds ago|graylog_0|cb854853-0417-11ea-890a-000c299c48cb|{“type”:“cluster_block_exception”,“reason”:“blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];”}|
|a few seconds ago|graylog_0|cb854850-0417-11ea-890a-000c299c48cb|{“type”:“cluster_block_exception”,“reason”:“blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];”}|
|a few seconds ago|graylog_0|cb854852-0417-11ea-890a-000c299c48cb|{“type”:“cluster_block_exception”,“reason”:“blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];”}|
|a few seconds ago|graylog_0|cb854851-0417-11ea-890a-000c299c48cb|{“type”:“cluster_block_exception”,“reason”:“blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];”}|

I don’t know why these errors have appeared. It is possible the index files are full, although I would have thought graylog would handle log rotation.

Any tips or assistance would be great

jgiovann · November 11, 2019, 1:36am

… I may have posted the question prematurely. I found another post where the following command resolved my issue:

curl -XPUT -H “Content-Type: application/json” http://localhost:9200/_all/_settings -d ‘{“index.blocks.read_only_allow_delete”: null}’{“acknowledged”:true}

It is likely the index files hit a watermark and didn’t rotate correctly ?
Should I increase the filesystem on which the index files reside or adjust the watermark threshold ?

jan · November 11, 2019, 9:09am

he @jgiovann

the calculation of index rotation might not be right for the available disk space. That is not done automatically. You need to calculate and configure on your own.

After you have released disk space the posted command is the right that elasticsearch accept messages again.

What the right solution for you is - add more disk space or change watermark settings highly depends on your needs. That can’t someone without your knowledge answer.

jgiovann · November 12, 2019, 6:01am

Hi Jan,

Thanks for the tip. I don’t have the option of increasing the disk space but I’ve re-configured the default index file to rotate after a certain size.

I’ll then look at re-configuring the watermark. Do I do this from the web interface or do I need to configure from the command line ?

jan · November 13, 2019, 11:01am

with the current version you need to adjust the watermark configuration from the command line - or set this is in the elasticsearch configuration file.

system · November 27, 2019, 11:01am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Lots of cluster_block_exception indexing errors Graylog Central (peer support)	2	850	July 4, 2019
Graylog elasticsearch -problem Graylog Central (peer support)	2	740	March 4, 2020
Graylog search issue Graylog Central (peer support)	8	1194	April 11, 2019
There were 204,800 failed indexing attempts Graylog Central (peer support)	22	3464	June 27, 2020
Graylog does not search! Graylog Central (peer support)	15	3306	July 4, 2019

Index file failures

Related Topics