Indexing Error?

Hello Graylog Friends!!

OK…so I have a larger install, storing about 1500 events a second. We have our indices set to 1 day and purge after 30 count. This is a fresh build of Graylog on Ubuntu 16.04, 24 GB ram, 8 cores of proc, 6 TB of storage, running Graylog 2.3.1

We are seeing this error in the logs, but I’m not sure what to do about it.

**{"type":"illegal_argument_exception","reason":"Limit of total fields [1000] in index [graylog_82] has been exceeded"}**

All insight is appreciated

Thanks

TP

you created to many fields and you should limit the fields you write per index to something that is lower than 1000.

For reference:

• https://www.elastic.co/guide/en/elasticsearch/reference/5.6/mapping.html#mapping-limit-settings
• https://discuss.elastic.co/t/total-fields-limit-setting/53004

OK…but I haven’t added any fields. This is just windows machines, running to a single GELF input, being sent via nxlog.

How does it have too many fields?

TP

The Windows EventLog sends structured messages, so if you have many different events in the Windows EventLog with vastly different field names and don’t consolidate these fields in Graylog (e. g. via the processing pipelines), you can get 1000+ different field names.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.