Before you dig into the details of this technical guide, have you tried asking OpsGPT?
You'll receive concise answers that will help streamline your Elasticsearch/OpenSearch operations.
Try OpsGPT now for step-by-step guidance and tailored insights into your Elasticsearch/ OpenSearch operation.
Before you dig into the details of this guide, have you tried asking OpsGPT? You’ll receive concise answers that will help streamline your Elasticsearch/OpenSearch operations. Try OpsGPT.
We also recommend you run the free Elasticsearch Cost Insight tool. It provides personalized recommendations on how to improve your resource utilization and lower your hardware costs.
Low disk watermark is another one of the issues in Elasticsearch that can be avoided and solved automatically by using the AutoOps platform. Try AutoOps for free.
Overview
There are various “watermark” thresholds on your Elasticsearch cluster. As the disk fills up on a node, the first threshold to be crossed will be the “low disk watermark”. Once this threshold is crossed, the Elasticsearch cluster will stop allocating shards to that node. This means that your cluster may become yellow.
The second threshold will then be the “high disk watermark threshold”. Finally, the “disk flood stage” will be reached. Once this threshold is passed, the cluster will then block writing to ALL indices that have one shard (primary or replica) on the node which has passed the watermark. Reads (searches) will still be possible.
Watch 2 min video for quick troubleshooting steps to resolve low disk watermark in Elasticsearch:
How to resolve it
Passing this threshold is a warning and you should not delay in taking action before the higher thresholds are reached. Here are possible actions you can take to resolve the issue:
- Delete old indices
- Remove documents from existing indices
- Increase disk space on the node
- Add new nodes to the cluster
You can see the settings you have applied with this command:
GET _cluster/settings
If they are not appropriate, you can modify them using a command such as below:
PUT _cluster/settings
{
"transient": {
"cluster.routing.allocation.disk.watermark.low": "85%",
"cluster.routing.allocation.disk.watermark.high": "90%",
"cluster.routing.allocation.disk.watermark.flood_stage": "95%",
"cluster.info.update.interval": "1m"
}
}How to avoid it
There are various mechanisms to automatically delete stale data.
How to automatically delete stale data:
- Apply ISM (Index State management)
Using ISM you can get OpenSearch to automatically delete an index when your current index size reaches a given age.
- Use date-based indices
If your application uses date-based indices, then it is easy to delete old indices using a script.
- Use snapshots to store data offline
It may be appropriate to store snapshotted data offline and restore it in the event that the archived data needs to be reviewed or studied.
- Automate / simplify process to add new data nodes
Use automation tools such as terraform to automate the addition of new nodes to the cluster. If this is not possible, at the very least ensure you have a clearly documented process to create new nodes, add TLS certificates and configuration and bring them into the OpenSearch cluster in a short and predictable time frame.
