Upgrading Elasticsearch v2.3 to v5.0: "Too many fields"

danny999 · July 15, 2019, 8:02pm

I ran the Elasticsearch Migration Helper and it came back reporting that about half of my indexes have too many fields. Apparently ES v5.0 has a limit of 1000 fields, and my indexes use on average 1000-1300… ?

I’m learning as I go… My goal is to get us to Graylog v3 with Elasticsearch v6, preferably with all our indexes still accessible.

Anyone else run into this? Any suggestions?

jan · July 16, 2019, 10:17am

change the setting for that limit:

https://www.graylog.org/post/what-to-do-when-you-have-1000-fields

danny999 · July 16, 2019, 1:55pm

Thanks Jan, it seems like this is something to avoid if possible. I already wasn’t happy with the performance of ES/GL when doing large searches, I imagine it will only make it worse if I change the field limit to 1350 to accommodate all my old indexes.

How do I prevent this in the future though? The link you provided mentioned being able to send different inputs into different indexes, but it didn’t say how to do it… Can you point me in the right direction?

jan · July 16, 2019, 3:31pm

you actually create multiple multiple index sets ( http://docs.graylog.org/en/3.0/pages/configuration/index_model.html ) and route different streams ( http://docs.graylog.org/en/3.0/pages/streams.html ) into different indices.

It will not harm you, raising the max fields to 1350 … I guess the number 1000 is out of the blue.

mmurdock · July 18, 2019, 5:57pm

The article above shows how to adjust an existing index. Are there any instructions for setting future indices to a larger field limit?

jan · July 19, 2019, 8:03am

should I really google that for you?

mmurdock · July 19, 2019, 8:27am

Well, no I wouldn’t expect that. I thought maybe you or someone would be able to point me generally in the right direction. I have searched for an answer, and perhaps it’s my lack of Elasticsearch experience, but I either haven’t found a clear answer or I’ve looked past one out of ignorance.

I’ll search some more and add the answer here once I find it.

jan · July 19, 2019, 11:18am

sorry that I might sound rude - I forgot that you might not know HOW to set that…

You should use index templates/mappings

http://docs.graylog.org/en/3.0/pages/configuration/elasticsearch.html#custom-index-mappings
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/indices-templates.html

system · August 2, 2019, 11:19am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Too many fields Graylog Central (peer support)	12	596	August 28, 2023
Can we use Elasticsearch false or strict with Graylog? Graylog Central (peer support)	8	1560	May 29, 2019
Graylog: ES Log: Limit of total fields [1000] in index [graylog_519] has been exceeded and no longer processing Graylog Central (peer support)	17	10698	August 24, 2017
Indexing Error? Graylog Central (peer support)	5	1942	December 23, 2017
Error [Elasticsearch exception...reason=Limit of total fields [1000] has been exceeded]] Graylog Central (peer support)	5	87	April 1, 2024

Upgrading Elasticsearch v2.3 to v5.0: "Too many fields"

Related Topics