×
Community Blog FAQ about Alibaba Cloud Elasticsearch clusters 01

FAQ about Alibaba Cloud Elasticsearch clusters 01

This topic provides answers to some frequently asked questions about Alibaba Cloud Elasticsearch clusters.

FAQ about the purchase, unsubscription, or release of clusters

When I purchase an Elasticsearch cluster, I performed an incorrect configuration. How do I modify the configuration after the cluster is created?

If you find that the configurations of your cluster do not meet your expectations after the cluster is created, you can refer to the methods provided in the following table to modify the configurations.
Warning
If you need to unsubscribe from or release your cluster, first back up your data. For more information about how to back up data, see Create manual snapshots and restore data from manual snapshots. After the unsubscription or release, your data stored on the cluster is deleted and cannot be restored.

Configuration item Solution
Billing method If you purchased a pay-as-you-go cluster, you can switch the billing method of the cluster to subscription. For more information, see Change the billing method of a cluster from pay-as-you-go to subscription.
Version This configuration item can be modified if one of the following conditions is met:
- The version of the cluster that you purchased is V5.5.3, and you want to upgrade the version to V5.6.16.
- The version of the cluster that you purchased is V5.6.16, and you want to upgrade the version to V6.3.2.
- The version of the cluster that you purchased is V6.3.2, and you want to upgrade the version to V6.7.0.
For information about how to upgrade the version of a cluster, see Upgrade the version of a cluster. If your version upgrade does not meet the preceding conditions, we recommend that you unsubscribe from or release your cluster and purchase another cluster of the desired version.
Region You cannot modify this configuration item. We recommend that you unsubscribe from or release your cluster and purchase another cluster based on your business requirements.
Zone You can migrate nodes to the desired zone. For more information, see Migrate nodes in a zone.
Note
Before you migrate nodes, you must make sure that your cluster is in the Active state.
Number of zones You cannot modify this configuration item. We recommend that you unsubscribe from or release your cluster and purchase another cluster based on your business requirements.
Specifications You can modify this configuration item. For more information, see Upgrade the configuration of a cluster.
Storage type You can modify this configuration item. For more information, see Upgrade the configuration of a cluster.
Cloud disk encryption You cannot modify this configuration item. We recommend that you unsubscribe from or release your cluster and purchase another cluster based on your business requirements.
Storage space per node You can modify this configuration item. For more information, see Upgrade the configuration of a cluster.
Number of data nodes You can modify this configuration item. For more information, see Upgrade the configuration of a cluster.
Network type, virtual private cloud (VPC), and vSwitch You cannot modify these configuration items. We recommend that you unsubscribe from or release your cluster and purchase another cluster based on your business requirements.
Note
The network type of an Elasticsearch cluster can only be VPC.
Username The default username is elastic. You cannot modify this configuration item. You can create a user in the Kibana console and grant the required permissions to the user. For more information, see Use the RBAC mechanism provided by Elasticsearch X-Pack to implement access control.
Password You can modify this configuration item. For more information, see Reset the access password for an Elasticsearch cluster.

For the configuration items that are not provided in the preceding table, check whether you can modify the items on the configuration upgrade or downgrade page. For more information, see Upgrade the configuration of a cluster and Downgrade the configuration of a cluster.

What are the mappings between versions on the Elasticsearch buy page and specific Elasticsearch versions?

Version on the buy page Specific version
8.13 8.13.4
8.9 8.9.1
8.5 8.5.1
7.16 7.16.2
7.10 7.10.0
7.7 7.7.1
6.8 6.8.6
6.7 6.7.0
6.3 6.3.2
5.6 5.6.16
5.5 5.5.3

If you have a self-managed Elasticsearch cluster, we recommend that you select a version that is nearest to the version of the cluster when you purchase an Alibaba Cloud Elasticsearch cluster. For example, you can select a version whose minor version is nearest to that of your self-managed Elasticsearch cluster. If you do not have a self-managed Elasticsearch cluster, we recommend that you select the latest version.

When I purchase an Elasticsearch cluster, no VPCs are available. What do I do?

Check whether the RAM user that you use is granted the permissions to obtain the list of VPCs. For more information, see View the information about a RAM user. If the RAM user that you use is not granted the permissions, grant the permissions to the RAM user. For more information, see Create a custom policy.

When I purchase an Elasticsearch cluster, no vSwitches are available after I select a VPC, and the error message "vSwitch: may not be empty" is reported. What do I do?

The issue occurs because no vSwitches are available in the zone that you selected. To resolve this issue, go to the vSwitch page in the VPC console to check whether vSwitches are available in the selected zone. If no vSwitches are available in the selected zone, you must create a vSwitch. For more information, see Create a VPC with an IPv4 CIDR block.

After I unsubscribe from or release an Elasticsearch cluster, I purchase another cluster. Does the endpoint of the new cluster remain the same as that of the original cluster?

No, the endpoint of the new cluster is different from that of the original cluster. After you purchase the new cluster, we recommend that you modify the client code and unsubscribe from or release the original cluster to avoid service interruptions.

How do I unsubscribe from or release an Elasticsearch cluster?

  • For information about how to release a pay-as-you-go cluster or an expired subscription cluster, see Release a cluster.
  • To unsubscribe from an unexpired subscription cluster, perform the following operations:

Log on to the Alibaba Cloud Management Console. In the top navigation bar, choose Expenses > Orders. In the left-side navigation pane of the Expenses and Costs console, click Unsubscribe. On the Unsubscribe page, perform cluster unsubscription or order cancellation. For more information, see Methods for unsubscribing resources.

Can I purchase an Elasticsearch cluster that has only one node?

No, you cannot purchase an Elasticsearch cluster that has only one node. An Elasticsearch cluster must have a minimum of two data nodes. For more information, see Parameters on the buy page.

When I purchase an Elasticsearch cluster, resources of a specific category are sold out. What do I do?

Take one of the following measures:

  • Select another region.
  • Select another zone.
  • Select another category.

If the resources that you want to purchase are still unavailable after you take all of the preceding measures, try again later. Resources are dynamic. If resources are insufficient, Alibaba Cloud replenishes the resources at the earliest opportunity.

Why do I need to upgrade the data nodes with the specifications of 1 vCPU and 2 GiB of memory in Elasticsearch clusters at the earliest opportunity?

Data nodes with the specifications of 1 vCPU and 2 GiB of memory may affect the performance of Elasticsearch clusters. Alibaba Cloud Elasticsearch no longer provides data nodes with such specifications since May 2021. Existing data nodes with such specifications can still be used. Data nodes with the specifications of 1 vCPU and 2 GiB of memory are suitable only for online learning and are not suitable for production environments. The service level agreement (SLA) does not apply to clusters that contain such data nodes. Therefore, we recommend that you upgrade your data nodes with the specifications of 1 vCPU and 2 GiB of memory at the earliest opportunity. For more information, see Upgrade the configuration of a cluster.

Why is an Elasticsearch cluster in the Initializing state for a long period of time after it is purchased?

A period of time is required before an Elasticsearch cluster can provide services after it is purchased. The period of time varies based on the specifications, data structure, and data volume of the cluster. In most cases, a few hours are required.

Do I need to purchase a Kibana node after I purchase an Elasticsearch cluster?

No, you do not need to purchase a Kibana node after you purchase an Elasticsearch cluster. When you purchase an Alibaba Cloud Elasticsearch cluster, the value of the Kibana Node parameter is fixed as Yes. You can select the specifications of the Kibana node based on your business requirements. For more information, see Create an Alibaba Cloud Elasticsearch cluster.
Important
Due to the impact on performance and stability, we recommend that you select the specifications of 2 vCPUs and 4 GiB of memory or higher for the Kibana node. The Kibana node with one vCPU and 2 GiB of memory is free of charge. However, we recommend that you use the Kibana node with one vCPU and 2 GiB of memory only for testing purposes.

What do I do if I am unable to find the Elasticsearch cluster that I created?

Check whether the region that you selected in the top navigation bar of the Elasticsearch console is the region where your cluster resides. If the region that you selected is correct but you still cannot find your cluster, we recommend that you clear the browser cache or use an on-premises network.

In which scenarios do I need to purchase dedicated master nodes and client nodes for an Elasticsearch cluster?

You can use dedicated master nodes to perform operations on clusters, such as creating indexes, deleting indexes, tracking nodes, and allocating shards. The stability of dedicated master nodes is important to the health of clusters. We recommend that you purchase dedicated master nodes for your Elasticsearch cluster if you want to use the cluster in the following scenarios:

  • The loads of data nodes that are used as dedicated master nodes in the Elasticsearch cluster are heavy.
  • You want to use the Elasticsearch cluster in a data write scenario.
  • You have a high requirement for cluster stability.

Client nodes are used to forward all query and write requests received by an Elasticsearch cluster to data nodes and merge the query results of data nodes. If you want to use your Elasticsearch cluster in scenarios in which aggregate queries are required, we recommend that you purchase client nodes for the cluster. We recommend that you purchase client nodes and data nodes with the same specifications for your Elasticsearch cluster based on a ratio of 1:5. For example, if you purchase two client nodes for your Elasticsearch cluster, we recommend that you purchase 10 data nodes. A minimum of two client nodes must be purchased. For information about how to evaluate specifications and storage capacity for an Elasticsearch cluster, see Evaluate specifications and storage capacity.

What is the default username of the password that I specify when I purchase an Elasticsearch cluster?

The default username is elastic. You can also create a custom user. For more information, see Use the RBAC mechanism provided by Elasticsearch X-Pack to implement access control.

FAQ about features

Can I upgrade or downgrade the version of an Elasticsearch cluster?

You can upgrade the versions of clusters only from V5.5 to V5.6, from V5.6 to V6.3, or from V6.3 to V6.7.
If you want to perform upgrades between other versions or perform version downgrades, purchase an Elasticsearch cluster of the desired version. Then, migrate data from the original cluster to the new cluster and unsubscribe from or release the original cluster.
Note
You can apply for a free trial on an Elasticsearch V8.5 or V8.9 cluster. After you create such a cluster, you are not allowed to modify the cluster.

Can I log on to an Elasticsearch cluster over SSH and modify the configuration of the cluster?

No, for security purposes, you are not allowed to log on to your Elasticsearch cluster over SSH. If you want to modify the configuration of your cluster, use the cluster configuration feature of Elasticsearch. For more information, see Overview of cluster configuration.

Is Logstash V6.7 compatible with Elasticsearch V6.3?

Yes, Logstash V6.7 is compatible with Elasticsearch V6.3. For more information, see Compatibility matrixes.

Can Elasticsearch be used as a data source of Quick BI?

No, Elasticsearch cannot be used as a data source of Quick BI. You can use Kibana to analyze data and present analysis results.

Does Elasticsearch support scoring plug-ins?

Yes, Elasticsearch supports scoring plug-ins. When you create an index, Elasticsearch allows you to create a tokenizer. This way, when you search for data, Elasticsearch uses a scoring plug-in to sort search results by score. For more information, see Step 5: Search for data.

Does Elasticsearch support LDAP?

Yes, Elasticsearch supports Lightweight Directory Access Protocol (LDAP). If you want to use LDAP to authenticate the requests that are sent to your Elasticsearch cluster, you must deploy an on-premises Elasticsearch cluster of the same version and use this cluster to conduct an authentication test. If LDAP runs as expected, configure your cluster to support LDAP based on the configurations of the on-premises Elasticsearch cluster. For more information, see Use X-Pack to configure LDAP authentication.

Does Alibaba Cloud provide Elasticsearch SDK for Java?

Yes, Alibaba Cloud provides Elasticsearch SDK for Java. Different Elasticsearch versions use different SDKs. For more information, see Java API.

How do I view the kernel version of an Elasticsearch cluster?

By default, Elasticsearch clusters use the kernel of the latest version. For more information about kernel versions, see AliES release notes. If your cluster does not use the kernel of the latest version, the A new kernel patch is available message appears on the Basic Information page of your cluster. You can click the message to view the current kernel version of your cluster.
image.png

When am I allowed to forcefully restart an Elasticsearch cluster? What is the impact of a forced restart?

If your Elasticsearch cluster is in an abnormal state (indicated by the color red or yellow) and you want to restart the cluster, you can forcefully restart the cluster. During the forced restart, your Elasticsearch service may be unstable, data may be lost, or data read and write operations may fail. Proceed with caution.

How do I check whether the vulnerability in Apache Log4j 2 is fixed for my Elasticsearch cluster?

The vulnerability is fixed after your Elasticsearch cluster is restarted. For more information, see [[Vulnerability notice] RCE vulnerability in Apache Log4j 2](https://www.alibabacloud.com/help/en/es/product-overview/vulnerability-announcement-or-rce-vulnerability-in-apache-log4j-2#concept-2163543).

Do I need to upgrade the version of my Elasticsearch cluster to fix the vulnerability in Apache Log4j 2?

No, you do not need to upgrade the version of your Elasticsearch cluster. You need to only follow the instructions provided in Procedure to fix the vulnerability.

How do I enable communication between Elasticsearch clusters that reside in different regions over an internal network?

You can use one of the following methods to enable communication between Elasticsearch clusters that reside in different regions over an internal network:

How do I migrate data to an Alibaba Cloud Elasticsearch cluster?

You can migrate data to an Alibaba Cloud Elasticsearch cluster from another Alibaba Cloud Elasticsearch cluster, a self-managed Elasticsearch cluster, or a third-party Elasticsearch source. The data migration solution and tool vary based on the data migration scenario. For more information, see Select a data migration solution.

Can I enable HTTPS for an Elasticsearch cluster that does not contain client nodes?

Before you enable HTTPS for an Elasticsearch cluster of a version other than the following versions, you must make sure that the cluster contains client nodes.

  • V7.16 and later

If an Elasticsearch cluster is of one of the preceding versions and contains client nodes, you can disable the client nodes for the cluster. If an Elasticsearch cluster is of a version other than the preceding versions and contains client nodes, you cannot release, unsubscribe from, or disable the client nodes for the cluster.
For security purposes, after you enable HTTPS for an Elasticsearch cluster, the system regularly maintains and updates the certificates on which the cluster depends. You cannot perform a rolling update for certificates installed on data nodes in Elasticsearch clusters of V7.10 or earlier. To reduce the impact of a node restart on online services during a certificate update, the system deploys the certificates on client nodes, which are used to forward requests. When you enable HTTPS for an Elasticsearch cluster that does not contain client nodes, the system displays a message to prompt you to purchase client nodes for the cluster. You must purchase client nodes for the cluster before you can enable HTTPS for the cluster. For more information, see Enable HTTPS.

What is the maximum number of shards that can be allocated for indexes on a single data node in an Elasticsearch cluster?

Alibaba Cloud Elasticsearch allows you to allocate a maximum of 1,000 shards for indexes on a single data node in Elasticsearch V7.X clusters. The number of shards that can be allocated for indexes on a single data node is not limited for Elasticsearch clusters of other versions. You must configure shards for indexes on a single data node based on the specifications of the Elasticsearch cluster. For more information, see Evaluate specifications and storage capacity and Size your shards.
You can run the following command in which the max_shards_per_node parameter is configured to temporarily change the maximum number of shards that a single data node can store:

PUT /_cluster/settings
{
   "transient": {
      "cluster": {
        "max_shards_per_node":10000
      }
   }
}

Important
We recommend that you do not specify an excessively large value for the max_shards_per_node parameter. To prevent cluster stability issues caused by excessively high loads of an Elasticsearch cluster, we recommend that you increase the number of nodes in the cluster or reduce the number of shards in the cluster, and appropriately plan shards for the cluster.

How are indexes whose names start with .monitoring-es generated? What can I do with such indexes?

By default, the X-Pack monitoring component collects monitoring data from an Elasticsearch cluster at intervals of 10 seconds and stores the data to the indexes whose names start with .monitoring- in the cluster. In Elasticsearch V6.X clusters, the .monitoring-es-6- and .monitoring-kibana-6- indexes are used to store monitoring data. These indexes are rolled over every day. The name of a .monitoring-es-6- index ends with the date when the monitoring data is stored.
A
.monitoring-es-6-
index stores information such as the cluster status, cluster statistics, node statistics, and index statistics. Such indexes consume a large amount of disk space. For more information, see Configure monitoring indexes.

What encryption algorithm is used to encrypt disks for an Elasticsearch cluster?

Alibaba Cloud Elasticsearch uses the industry-standard AES-256 encryption algorithm and Key Management Service (KMS) to encrypt disks for Elasticsearch clusters. For more information, see Overview of disk encryption.

Is port 9300 supported by Elasticsearch clusters?

Only Elasticsearch V5.X clusters support port 9300 for TCP and port 9200 for HTTP and HTTPS. Elasticsearch clusters of other versions support only port 9200.
Note
You cannot use Transport Client to access Elasticsearch clusters of V6.0 or later over port 9300. You can access only Elasticsearch V5.X clusters over port 9300.

FAQ about data migration and synchronization

How do I synchronize data from ApsaraDB for MongoDB to Alibaba Cloud Elasticsearch?

You can use Monstache to synchronize data from ApsaraDB for MongoDB to Alibaba Cloud Elasticsearch in real time. For more information, see Use Monstache to synchronize data from MongoDB to Alibaba Cloud Elasticsearch in real time.

FAQ about cluster restart

How long is required to restart an Elasticsearch cluster or node?

When you restart an Elasticsearch cluster or node, the system displays the required time. The time is estimated based on the specifications, data structure, and data volume of the cluster or node. In most cases, a few hours are required to restart a cluster. For more information, see Restart a cluster or node.

Does the system restart an Elasticsearch cluster after I enable or disable the Public Network Access feature for the cluster?

No, the system does not restart an Elasticsearch cluster after you enable or disable the Public Network Access feature for the cluster. Only the status of the Public Network Access feature changes. This does not affect your cluster.

Does the system restart an Elasticsearch cluster after I reset the password used to access the cluster?

No, the system does not restart an Elasticsearch cluster after you reset the password used to access the cluster. After you reset the password for a cluster, the system only reloads the data of the cluster but does not restart the cluster. For more information, see Reset the access password for an Elasticsearch cluster.

Is the restart of an Elasticsearch cluster affected if the indexes in the cluster have no replica shards?

Yes, the restart of the cluster is affected if the indexes in an Elasticsearch cluster have no replica shards. Services may be interrupted during the restart of the cluster. In most cases, if the load of a cluster is not high and the indexes in the cluster have replica shards, the cluster can still provide services during a restart. However, access timeouts may occur during a restart in some cases. For example, if a number of nodes in the cluster are forced to restart at the same time, the cluster is heavily loaded and is not accessible, the indexes in the cluster do not have replica shards, or large amounts of data are written or queried during a restart or forced restart, access timeouts may occur. In these cases, we recommend that you design a retry mechanism on your client first and restart the cluster during off-peak hours.

How do I restart a specific type of node, such as Kibana node, or a single node?

  • Restart a specific type of node

On the Basic Information page of your Elasticsearch cluster, click Restart in the upper-right corner. In the Restart dialog box, select Node Role for Object and select the type of node that you want to restart in the Node field. For more information, see Restart a cluster or node.

  • Restart a single node

You can use one of the following methods to restart a single node:

  • On the Basic Information page of your Elasticsearch cluster, click Restart in the upper-right corner. In the Restart dialog box, select Node for Object and select the node that you want to restart in the Node field. For more information, see Restart a cluster or node.
  • In the Node Visualization section of the Basic Information page of your Elasticsearch cluster, move the pointer over the node that you want to restart. In the popover that appears, click Restart. For more information, see View the cluster status and node information.

What do I do if the restart progress of an Elasticsearch cluster is stuck?

We recommend that you view the details of the cluster change task in the Tasks dialog box in the Elasticsearch console. For more information, see View the progress of a cluster task. The restart of an Elasticsearch cluster whose version is not V7.16 requires a few hours. If the change progress remains unchanged for a long period of time, you can refer to the instructions described in the following table to troubleshoot the issue.

Possible cause Solution
An error occurs on a plug-in that is installed for the Elasticsearch cluster. As a result, nodes in the cluster cannot be restarted. Delete the plug-in.
Shards cannot be allocated due to excessively high disk usage.
Note
Delete specific indexes or temporarily set the number of replica shards to 0 for the indexes.
Shards cannot be allocated due to invalid configurations of cluster parameters. Run the GET /_cluster/allocation/explain?pretty command to query the reason why shards are not allocated to nodes and resolve the issue based on the actual situation.
The number of replica shards is greater than the number of nodes in the Elasticsearch cluster. Adjust the number of replica shards.
An out-of-memory (OOM) error occurs due to the excessively small specifications of the Elasticsearch cluster. Upgrade the configuration of the Elasticsearch cluster.

You can view the cluster monitoring data to check the disk usage of each node in the Elasticsearch cluster. For more information, see Metrics and exception handling suggestions.

Can nodes in an Elasticsearch cluster be periodically restarted?

No, the nodes in an Elasticsearch cluster cannot be periodically restarted. If you want to enable periodical restart for the nodes in your Elasticsearch cluster, you can call the RestartInstance API operation. If you call this API operation, you must also configure a scheduled task and node information.

FAQ about abnormal cluster loads or status

The CPU utilization and loads of some nodes in an Elasticsearch cluster are normal, whereas other nodes are in the idle state. What do I do?

This issue is caused by unbalanced loads on the cluster. Unbalanced loads may be caused by several reasons, which include inappropriate shard settings, uneven segment sizes, unseparated hot and cold data, and persistent connections that are used for Service Load Balancer (SLB) instances and multi-zone architecture. Resolve the issue based on the actual scenario. For more information, see Unbalanced loads on a cluster.
Important

  • Before you resolve the issue, check the specifications of your cluster. If the specifications of your cluster are 1 vCPU and 2 GiB of memory, upgrade the specifications to 2 vCPUs and 4 GiB of memory or higher. The specifications of 1 vCPU and 2 GiB of memory are used only for online learning. For more information about how to upgrade the specifications, see Upgrade the configuration of a cluster.
  • Data nodes with the specifications of 1 vCPU and 2 GiB of memory are suitable only for online learning and are not suitable for production environments. The SLA does not apply to clusters that contain such data nodes. Such data nodes affect the stability of Elasticsearch clusters. Alibaba Cloud Elasticsearch no longer provides such data nodes. Therefore, we recommend that you upgrade your data nodes with the specifications of 1 vCPU and 2 GiB of memory at the earliest opportunity.
  • We recommend that you use data nodes with 2 vCPUs and 4 GiB of memory in testing environments and use data nodes with higher specifications in production environments.

What do I do if an Elasticsearch cluster is in a state indicated by the color yellow?

  • Cause

If the number of replica shards that you specify for an index is greater than the number of nodes minus 1, the cluster enters a state indicated by the color yellow.
Solutions
Run the GET _cat/indices?v command to query the distribution of shards for indexes and identify the index that is in a state indicated by the color yellow. Then, change the number of replica shards for the index to 0. After the cluster recovers to a normal state, change the number of replica shards for the index from 0 to the original setting.

  • Warning

After the number of replica shards is changed to 0, if nodes stop providing services due to errors, data stored on the nodes may be lost. Proceed with caution when you change the number of replica shards. After the cluster recovers to a normal state, change the number of replica shards from 0 to the original setting at the earliest opportunity. The recovery of the cluster requires approximately 1 minute.

PUT test/_settings
{
  "index" : {
    "number_of_replicas":"0"
  }
}

What do I do if an Elasticsearch cluster is in a state indicated by the color red due to heavy loads?

If an error occurs on the node on which primary shards are distributed, the cluster enters a state indicated by the color red. You can run the GET /_cat/indices?v command to query the distribution of shards for indexes and identify the index that is in a state indicated by the color red. Then, troubleshoot the issue based on the causes and solutions described in the following table.

Cause Solution
The resources of the cluster are insufficient due to unbalanced loads on nodes. Change the total number of primary and replica shards to an integral multiple of the number of data nodes in the cluster to balance loads on nodes. For more information, see What do I do if shards are not evenly distributed on nodes in an Elasticsearch cluster?
The cluster stores invalid indexes. Clear invalid indexes on a regular basis, such as monitoring indexes whose names start with .monitoring. For more information about how to configure monitoring indexes, see Configure monitoring indexes.
Shards are not allocated to nodes. Run the GET /_cluster/allocation/explain?pretty command to query the reason why shards are not allocated to nodes and resolve the issue based on the actual situation. After the issue is resolved, run the POST /_cluster/reroute?retry_failed=true command to reallocate shards to nodes.
The cache occupies a large amount of resources. Run the POST /<Index name>/_cache/clear?fielddata=true command to clear the cache.
A cluster update operation such as configuration upgrade is being performed on the cluster. Pause the update operation and select Forced Update on the Upgrade/Downgrade page to forcefully update the cluster. For more information, see Upgrade the configuration of a cluster.
The resources of the cluster are insufficient because the cluster uses low specifications such as 1 vCPU and 2 GiB of memory or 2 vCPUs and 4 GiB of memory. Upgrade the configuration of the cluster. For more information, see Upgrade the configuration of a cluster.
Note
The disk usage exceeds 85%. We recommend that you delete the historical data you no longer require or that you expand the capacity of disks. For more information, see High disk usage and read-only indexes.
  • Data nodes with the specifications of 1 vCPU and 2 GiB of memory are suitable only for online learning and are not suitable for production environments. The SLA does not apply to clusters that contain such data nodes. Such data nodes affect the stability of Elasticsearch clusters. Alibaba Cloud Elasticsearch no longer provides such data nodes. Therefore, we recommend that you upgrade your data nodes with the specifications of 1 vCPU and 2 GiB of memory at the earliest opportunity.
  • We recommend that you use data nodes with 2 vCPUs and 4 GiB of memory in testing environments and use data nodes with higher specifications in production environments.

Monitoring data or an alert shows that the CPU utilization of my Elasticsearch cluster is excessively high. What do I do?

Troubleshoot the issue based on the causes and solutions described in the following table.

Cause Solution
The number of queries or write requests per second spikes. Reduce the number of queries or write requests per second for the cluster, reduce the amount of data to write to the cluster in parallel, or scale out or up the cluster. We recommend that you perform stress testing in the production environment and select appropriate specifications.
The cache for indexes occupies a large amount of resources. Run the POST /Index name/_cache/clear?fielddata=true command to clear the cache.
The cluster uses low specifications. Upgrade the configuration of the cluster. For more information, see Upgrade the configuration of a cluster.
Loads on nodes in the cluster are unbalanced. Change the total number of primary and replica shards to an integral multiple of the number of data nodes in the cluster to balance loads on nodes. For more information, see What do I do if shards are not evenly distributed on nodes in an Elasticsearch cluster?

What do I do if the disk usage of my Elasticsearch cluster is excessively high?

Run the DELETE /Index name command to delete invalid indexes. After the disk usage is lower than 75%, forcefully upgrade the configuration of disks in the Elasticsearch console. For more information, see Upgrade the configuration of a cluster. If the disk usage of a node is excessively high, you must optimize the configuration of shards. For more information, see What do I do if shards are not evenly distributed on nodes in an Elasticsearch cluster?
Note
To prevent the impact of high disk usage on Alibaba Cloud Elasticsearch, we recommend that you enable disk usage monitoring and alerting. You must view the alert notification in time and take appropriate measures in advance. For more information, see Metrics and exception handling suggestions. When the disk usage of a node exceeds different thresholds, impacts on the cluster are different. The following descriptions provide the related information in detail:

  • If the disk usage of a node exceeds 85%, the system no longer allocates new shards to the node.
  • If the disk usage of a node exceeds 90%, the system migrates the shards on the node to other data nodes with low disk usage.
  • If the disk usage of a node exceeds 95%, the system forcefully adds the read_only_allow_delete attribute to all indexes in the cluster. As a result, data cannot be written to the indexes. You can only read data from the indexes or delete the indexes.

Monitoring data or an alert shows that the memory usage of my Elasticsearch cluster is excessively high. What do I do?

Troubleshoot the issue based on the causes and solutions described in the following table.

Cause Solution
The cache for the cluster occupies a large amount of memory. If the cache for the cluster occupies a large amount of memory for a short period of time, run the POST /Index name/_cache/clear?fielddata=true command to clear the cache. If the cache for the cluster occupies a large amount of memory for a long period of time, upgrade the configuration of the cluster. For more information, see Upgrade the configuration of a cluster. The memory usage of the cluster may periodically increase but no alert is generated, which may be caused by business fluctuations or memory reclaim of the cluster. This is a normal phenomenon.
The read or write throughput of the cluster is high. Stop the read or write operation, install a throttling plug-in, and then enable the throttling feature of the plug-in. For more information, see Use the aliyun-qos plug-in.
Invalid indexes occupy a large amount of memory. Delete invalid indexes such as monitoring indexes whose names start with .monitoring to release resources. You can specify a retention duration for such indexes. For more information, see Configure monitoring indexes.
Shards are not evenly distributed on nodes, and loads on nodes are unbalanced. Change the total number of primary and replica shards to an integral multiple of the number of data nodes in the cluster and make sure that shards are evenly distributed on nodes to balance loads on the nodes. For more information, see What do I do if shards are not evenly distributed on nodes in an Elasticsearch cluster?
Abnormal queries exist. For example, a user on the business side sends a query request that contains a string with numerous special characters. Run the GET _cat/tasks?v command to obtain the ID of the time-consuming query task and run the GET _tasks?detailed=true&actions=*read/search* command to obtain the detailed query statement and save and analyze the statement. You can also call the task cancel API, restart the cluster, or restart only heavily loaded nodes in the cluster to quickly cancel the query.

What do I do if shards are not evenly distributed on nodes in an Elasticsearch cluster?

Appropriately plan shards and reallocate shards for nodes. Make sure that the total number of primary and replica shards is an integral multiple of the number of data nodes in the cluster. This ensures that data is evenly distributed on each data node and prevents heavy loads on a node due to uneven shard distribution. The following descriptions provide examples on how to allocate primary and replica shards for nodes:

  • If the cluster has three data nodes, you can configure three primary shards and one replica shard for each primary shard. The total number of primary and replica shards that you can configure is six.
  • If the cluster has eight data nodes, you can configure four primary shards and one replica shard for each primary shard. The total number of primary and replica shards that you can configure is eight. Alternatively, you can configure eight primary shards and one replica shard for each primary shard. In this case, the total number of primary and replica shards that you can configure is 16.

Note

  • After you adjust the number of shards for nodes, you must make sure that the data stored on the nodes can be evenly distributed on each node. To achieve this, we recommend that you reindex the data during off-peak hours. The availability and query performance of an Elasticsearch cluster increase with the number of replica shards. However, more memory of the cluster will be used.
  • Both the number of shards and the size of each shard contribute to the stability and performance of an Elasticsearch cluster. You must properly plan shards for all indexes in an Elasticsearch cluster. This prevents numerous shards from affecting cluster performance when it is difficult to define business scenarios. For information about how to plan shards for indexes, see Shard evaluation.
  • Uneven shard distribution leads to unbalanced cluster loads. You can use one of the following methods to check whether shards are evenly allocated for nodes in an Elasticsearch cluster:

    • View the monitoring data of the cluster. If shards are not evenly distributed on nodes in the cluster, the CPU utilization, memory usage, or disk usage of a node is high.
    • Run the GET _cat/shards?v command to query the shard information of the indexes in the cluster. If nodes with heavy loads have a large amount of shards, shards are not evenly distributed on all nodes.

My Elasticsearch cluster is heavily loaded, and the cluster logs contain the following error message: java.lang.StackOverflowError for the entire cluster. What do I do?

The error message indicates that a stack overflow error occurs because the amount of data written to the stack by using Lucene exceeds the upper limit. This issue is related to regular expression-based queries and fuzzy match. This issue is fixed in Elasticsearch V6.0 and later. We recommend that you upgrade the configuration of the cluster at the earliest opportunity or optimize the query statement that you use. For more information, see java.lang.StackOverflowError for the entire cluster.

How do I query the size of the JVM heap memory that is allocated to an Elasticsearch cluster?

Run the GET _nodes/stats/jvm?pretty command. By default, the Java Virtual Machine (JVM) heap memory of an Elasticsearch cluster is half of the memory of the cluster. You cannot change the size of the JVM heap memory of an Elasticsearch cluster.

FAQ about data read or write

How do I adjust the size of the document write queue for an Elasticsearch cluster?

Adjust the value of the thread_pool.write.queue_size parameter in the YML file of the cluster. For more information, see Configure the YML file. Before you adjust the size of the document write queue for the cluster, you can run the GET /_cat/thread_pool?v command to view the queue usage in the cluster.
Important
For Elasticsearch clusters whose versions are earlier than V6.0, use the thread_pool.index.queue_size parameter to configure the size of the document write queue.

How do I query or export data of a specific period of time?

You can use a range query of Elasticsearch to query the data of a specific period of time. For more information, see Range query.
If you want to export data of a specific period of time, you can use Logstash to filter data and obtain the data that you want to export. For more information, see Logstash configuration files.

Is the amount of data that can be written to an Elasticsearch cluster at a time by using a bulk write request limited?

Yes, the amount of data that can be written to an Elasticsearch cluster at a time by using a bulk write request is limited to 100 MB. If this limit is exceeded, you must adjust the amount of data that you write to the cluster at a time. The amount of data that is written to an Elasticsearch cluster at a time by using a bulk write request is calculated by using the following formula: Amount of data that is written to an Elasticsearch cluster at a time by using a bulk write request = Number of documents × Size of each document. You may not be able to precisely estimate the amount of data that is written at a time based only on the number of documents because the amount is also related to the size and complexity of each document. If each document stores a large amount of data, you can reduce the number of documents to write at a time. We recommend that you debug the amount of data to write at a time from 5 MB to 15 MB. By default, the amount of data that is written to an Elasticsearch cluster at a time by using a bulk write request cannot exceed 100 MB. For more information, see HTTP settings. For information about how to debug the amount of data, see Using and Sizing Bulk Requests in the documentation for open source Elasticsearch.

What do I do if a difference exists between the time of obtained data and the actual time?

By default, Elasticsearch runs at Coordinated Universal Time (UTC). A difference exists between UTC and the actual time. Elasticsearch does not support time zone adjustment. You can convert time based on the difference. For example, UTC is 8 hours later than Beijing time, which indicates that the time of data stored in Elasticsearch is 8 hours later than the actual time. In this case, you can convert time for data by using one of the following methods:

  • When you query data of the date type, specify the time zone or timestamp of the data. For more information, see Parameters for .
  • When you write time data, specify a time zone. For example, specify "time" : "2022-07-15T12:58:17.136+0800".
  • Use Kibana to display data. After Kibana obtains a field of the date type from Elasticsearch, Kibana obtains the local time zone by using JavaScript, converts the time of values of the field based on the time zone of the browser, and then displays the results. For more information, see How do I change the time zone for data visualization in the Kibana console?
  • If you use Logstash to synchronize data, a time difference of 8 hours exists between the data before the synchronization and the data after the synchronization. Before you synchronize data, you can manually add the related time to the pipeline configuration, such as filter{ ruby{ code => "event.set('update_time', event.get('update_time').time.localtime + 8*60*60)" } }.

What do I do if no result is returned for a query in an Elasticsearch cluster or a long period of time is required before results can be returned?

If no result is returned for a query in an Elasticsearch cluster or a long period of time is required before results can be returned, the query is a slow query. You can view slow query logs in the console and locate the cause based on the instructions in Metrics and exception handling suggestions. The following table describes common causes and related solutions.

Cause Solution
Loads on nodes are unbalanced due to uneven shard distribution. Change the total number of primary and replica shards to an integral multiple of the number of data nodes in the cluster to balance loads on nodes. For more information, see What do I do if shards are not evenly distributed on nodes in an Elasticsearch cluster?
The resources of the cluster are insufficient. If queries that consume a large amount of resources are performed on the cluster, we recommend that you optimize the statements used for the queries or upgrade the configuration of the cluster. The queries can be aggregate queries, term queries, script queries, or fuzzy match. For information about how to upgrade the configuration of an Elasticsearch cluster, see Upgrade the configuration of a cluster.
Note

The query performance of an Elasticsearch cluster is related to the health status of the cluster. If the memory usage of an Elasticsearch cluster is lower than 80% and loads on nodes in the cluster are balanced, the cluster can provide high query performance.

What do I do if the following error message is reported when data is being written to my Elasticsearch cluster: Data too large... which is larger than the limit of?

  • Cause

The write throughput of the cluster is excessively high and circuit breaking is triggered for the cluster due to insufficient resources of the cluster.
Solution

  • Important

If the operations in the following solutions cannot be performed, you must stop all query and write operations and forcefully restart the cluster. After the cluster recovers to a normal state, use one of the following solutions to resolve the issue.

1)Run the POST /Index name/_cache/clear?fielddata=true command to clear the cache for indexes. If the issue persists, go to the next step.

2)Run the GET /_cat/indices?v command to check whether shards are not evenly distributed on nodes in the cluster. For more information, see What do I do if shards are not evenly distributed on nodes in an Elasticsearch cluster? If the issue persists, go to the next step.

3)Reduce the concurrency for the write operations, delete invalid indexes to release resources, and reduce the use of the Kibana monitoring feature.

To disable the Kibana monitoring feature, run the following command:

PUT _cluster / settings {
    "persistent": {
        "xpack.monitoring.collection.enabled": false
    }
}

If the issue persists, go to the next step.

4)Upgrade the configuration of the cluster.

Can I delete multiple indexes in an Elasticsearch cluster at a time?

Yes, you can delete multiple indexes in an Elasticsearch cluster at a time. To perform this operation, you must set the Index Deletion parameter to Allow Wildcards in the YML file of the cluster and restart the cluster. After the cluster is restarted, the indexes are deleted at a time by using wildcards. For more information, see Configure the YML file.
Warning
Deleted indexes cannot be recovered. Before you configure the Index Deletion parameter, make sure that the setting of the parameter does not affect your business.

When I create an index in my Elasticsearch cluster, the error message "index uuid conflicted" is reported, which indicates that the UUID of the index is conflicted, and data cannot be written to documents in the index. What do I do?

This is a known issue. To troubleshoot the issue, upgrade the kernel version of the cluster to V1.5.0 or later. For more information, see Upgrade the version of a cluster.

How do I change the value of the index.max_result_window parameter?

The index.max_result_window parameter is provided by Elasticsearch for paged queries that are performed by using the from and size parameters and specifies the maximum number of documents that can be returned for a paged query. The default value of the index.max_result_window parameter is 10000. If the maximum number of queried documents exceeds this value, the following error message is reported: Result window is too large, from + size must be less than or equal to: [10000].
In a search scenario in which deep paging is required, you may need to increase the value of the index.max_result_window parameter. You can run the following command to change the value of the index.max_result_window parameter. The parameter value in the following command is for reference only. If the Elasticsearch cluster is restarted after the command is successfully run, the setting of this parameter still takes effect.

PUT /my_index/_settings  
{  
  "index": {  
    "max_result_window": 50000  
  }
}

Important
If a large number of results are returned for the query, we recommend that you do not perform deep paging by using the from and size parameters. Otherwise, a large amount of CPU and memory resources are consumed. In a search scenario in which deep paging is required, we recommend that you use the scroll or search_after parameter.

What do I do if the following error message is reported when I update the data for an index in my Elasticsearch cluster: Rejecting mapping update to [] as the final mapping would have more than 1 type?

This issue occurs because the index type that is used for the update is different from the original index type. An index in an Elasticsearch cluster can have only one type. If you want to update the data for an index in an Elasticsearch cluster, you must use an index type that is the same as the original index type.
Note
In open source Elasticsearch 7.0 and later, the value of the type field in the mapping configuration is fixed as _doc.

How do I query all documents in an index?

Log on to the Kibana console of the Elasticsearch cluster and run the following command. For information about how to log on to the Kibana console, see Log on to the Kibana console.

GET _search
{
   "query": {
   "match_all": {}
  }
}

You can also query all documents in an index on the Discover page of the Kibana console. Before you perform the query on the Discover page, you must create an index pattern. For information about how to use the Kibana console, see Kibana Guide.

0 1 0
Share on

Data Geek

100 posts | 4 followers

You may also like

Comments

Data Geek

100 posts | 4 followers

Related Products

  • Alibaba Cloud Elasticsearch

    Alibaba Cloud Elasticsearch helps users easy to build AI-powered search applications seamlessly integrated with large language models, and featuring for the enterprise: robust access control, security monitoring, and automatic updates.

    Learn More
  • CloudBox

    Fully managed, locally deployed Alibaba Cloud infrastructure and services with consistent user experience and management APIs with Alibaba Cloud public cloud.

    Learn More
  • Alibaba Cloud Flow

    An enterprise-level continuous delivery tool.

    Learn More