Briefly, this error occurs when the Document Level Security (DLS) BitSet size exceeds the maximum cache size. DLS BitSet is used for filtering documents based on user permissions. The cache size is limited to prevent excessive memory usage. To resolve this issue, you can either increase the cache size by adjusting the ‘indices.bitset.filter_cache.size’ setting or reduce the complexity of your DLS queries to decrease the BitSet size. However, increasing cache size may impact overall system performance, so it’s important to monitor memory usage closely.
This guide will help you check for common problems that cause the log ” built a DLS BitSet that uses [{}] bytes; the DLS BitSet cache has a maximum size of [{}] bytes; ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin, cache.
Overview
Elasticsearch uses three types of caches to improve the efficiency of operation.
- Node request cache
- Shard data cache
- Field data cache
How they work
Node request cache maintains the results of queries used in a filter context. The results are evicted on a least recently used basis.
Shard data cache maintains the results of frequently used queries where size=0, particularly the results of aggregations. This cache is particularly relevant for logging use cases where data is not updated on old indices, and regular aggregations can be kept in cache to be reused.
The field data cache is used for sorting and aggregations. To keep these operations quick Elasticsearch loads these values into memory.
Examples
Elasticsearch usually manages cache behind the scenes, without the need for any specific settings. However, it is possible to monitor and limit the amount of memory being used on each node for a given cache type by putting the following in elasticsearch.yml :
indices.queries.cache.size: 10% indices.fielddata.cache.size: 30%
Note, the above values are in fact the defaults, and there is no need to set them specifically. The default values are good for most use cases, and should rarely be modified.
You can monitor the use of caches on each node like this:
GET /_nodes/stats/indices/fielddata GET /_nodes/stats/indices/query_cache GET /_nodes/stats/indices/request_cache
Notes and good things to know
Construct your queries with reusable filters. There are certain parts of your query which are good candidates to be reused across a large number of queries, and you should design your queries with this in mind. Anything thing that does not need to be scored should go in the filter section of a bool query. For example, time ranges, language selectors, or clauses that exclude inactive documents are all likely to be excluded in a large number of queries, and should be included in filter parts of the query so that they can be cached and reused.
In particular, take care with time filters. “now-15m” cannot be reused, because “now” will continually change as the time window moves on. On the other hand “now-15/m” will round to the nearest minute, and can be re-used (via cache) for 60 seconds before rolling over to the next minute.
For example when a user enters the search term “brexit”, we may want to also filter on language and time period to return relevant articles. The query below leaves only the query term “brexit” in the “must” part of the query, because this is the only part which should affect the relevance score. The time filter and language filter can be reused time and time again for new queries for different searches.
POST results/_search
{
"query": {
"bool": {
"must": [
{
"match": {
"message": {
"query": "brexit"
}
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-10d/d"
}
}
},
{
"term": {
"lang.keyword": {
"value": "en",
"boost": 1
}
}
}
]
}
}
}Limit the use of field data. Be careful about using fielddata=true in your mapping where the number of terms will result in a high cardinality. If you must use fielddata=true, you can also reduce the requirement of fielddata cache by limiting the requirements for fielddata for a given index using a field data frequency filter.
POST results/_search
{
"query": {
"bool": {
"must": [
{
"match": {
"message": {
"query": "brexit"
}
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-10d/d"
}
}
},
{
"term": {
"lang.keyword": {
"value": "en",
"boost": 1
}
}
}
]
}
}
}Log Context
Log “built a DLS BitSet that uses [{}] bytes; the DLS BitSet cache has a maximum size of [{}] bytes;” classname is DocumentSubsetBitsetCache.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
// A cache loader is not allowed to return null; return a marker object instead.
return NULL_MARKER;
}
final long bitSetBytes = result.ramBytesUsed();
if (bitSetBytes > this.maxWeightBytes) {
logger.warn("built a DLS BitSet that uses [{}] bytes; the DLS BitSet cache has a maximum size of [{}] bytes;" +
" this object cannot be cached and will need to be rebuilt for each use;" +
" consider increasing the value of [{}]";
bitSetBytes; maxWeightBytes; CACHE_SIZE_SETTING.getKey());
} else if (bitSetBytes + bitsetCache.weight() > maxWeightBytes) {
maybeLogCacheFullWarning();
[ratemypost]