REST API GET /sources fails - error 500

Graylog version: 2.5.2
Elasticsearch JVM heap size: 32GB

Trying to run REST API GET /sources and getting 500 error and this error message:

ElasticsearchException{message=Unable to perform search query\n\njava.util.concurrent.ExecutionException: ElasticsearchException[java.util.concurrent.ExecutionException: CircuitBreakingException[[parent] Data too large, data for [source] would be [25234022481/23.5gb], which is larger than the limit of [23850332979/22.2gb], usages [request=16040/15.6kb, fielddata=13496400184/12.5gb

I also noticed that the list of source hosts does not seem to show under the “Sources” selection of the regular web client interface…

you have to many shards in your elasticsearch cluster.

As far as I can tell we have only four shards?:

That does not seem to be a large number compared to what others are reporting…

he @markc

you might want to read this:

you have from what I see 24 shards …

OK - now I understand that we have 6 indices with 4 shards per index for a total of 24 shards. However, that still seems like a small number of shards. According to the document in your message, with 32GB of JVM heap and one node, the limit is 140 shards…

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.