Index setting is routing

since yesterday i got the following error
Elasticsearch exception [type=illegal_argument_exception, reason=Limit of total fields [1000] has been exceeded while adding new fields [1]]];

  • OS Information:
    Ubuntu 20.04
  • Package Version:
    graylog 4.1.14
    elasticsearch “7.17.5”
    i just wanted to get through the command the current total fields setting
    curl -XGET
    but i get the following:
    that irritated me because the index is routed and not mapped. what should i do in this situation

Off the top of my head, I don’t know of a way to get a field count for an index, but what you need to do to stop the errors is to split some of your sources up and route them to another index. You have too many sources going into the same index.

Or, if you don’t have many sources, it could be that Ian agent or a parser is misbehaving. This can happen sometimes with NXLog, for example. It will sometimes create junk fields, sometimes many of them.

You need to get the total number of fields down below 1000. Then manually rotate the index and the error will clear.

you are right, we just start use nxlog to send the eventlog of windows servers to graylog. i created yesterday another index just for the eventlog and this solve the problem. but i just want to know, why the ouput of setting of the index says routing instead of mapping. what is the reason of that?

I think you may be referring to index routing. Not sure why that term was chosen, except that index mapping refers to mapping fields to individual indices in Opensearch.

Index routing is a means of telling Graylog to store logs data from particular streams in specific indices. It allows you to set separate rotation and retention periods, and can increase speed and storage efficiency storing like data in discrete indices.

Hope this helps.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.