今天在查询日志的时候graylog报了一个错:
While retrieving data for this widget, the following error(s) occurred:
Unable to perform search query: Elasticsearch exception type=illegal_argument_exception, reason=Result window is too large, from + size must be less than or equal to: \[10000 but was 12081150. See the scroll api for a more efficient way to request large data sets. This limit can be set by changing the index.max_result_window index level setting.].
说是ES默认设置最大搜索窗口(index.max_result_window)为10000条,也是是搜索可以返回的条数
查了下可以修改index.max_result_window
1.修改现有的索引
在ES所在的服务器中输入以下指令
curl -H "Content-Type: application/json" -XPUT http://127.0.0.1:9200/_all/_settings -d '{ "index" : { "max_result_window" : 1000000}}'
2.修改索引模板,从而新创建的索引也修改index.max_result_window
curl -H "Content-Type: application/json" -XPUT http://127.0.0.1:9200/_template/graylog-gdmp-mapping -d '{
"order": 1,
"index_patterns": [
"gdmp_*"
],
"settings": {
"index": {
"analysis": {
"analyzer": {
"analyzer_keyword": {
"filter": "lowercase",
"tokenizer": "keyword"
}
}
},
"max_result_window": 1000000
}
},
"mappings": {
"_source": {
"enabled": true
},
"dynamic_templates": [
{
"internal_fields": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"match": "gl2_*"
}
},
{
"store_generic": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"streams": {
"type": "keyword"
},
"message": {
"fielddata": false,
"analyzer": "standard",
"type": "text"
},
"timestamp": {
"format": "uuuu-MM-dd HH:mm:ss.SSS",
"type": "date"
}
}
}
}'
- 这个 cURL 命令的目的是在 Elasticsearch 中创建或更新名为 graylog-gdmp-mapping 的模板,该模板适用于以 gdmp_ 开头的所有索引,并定义了相应的映射和设置。