Cortex XSOAR: Reducing Elasticsearch Space Usage

Cortex XSOAR: Reducing Elasticsearch Space Usage

3027
Created On 02/23/22 21:58 PM - Last Modified 08/02/23 10:31 AM


Symptom


  • When you attempt to save new data (incidents, etc.) in Elasticsearch, new indexes can not be created
  • This happens if disk space usage exceeds the low watermark level set by Elasticsearch,
  • One see an error message ‘unable to allocate shards’, and the data is not saved.
  • If disk space usage exceeds the high watermark level set by Elasticsearch, one may not be able to log in to Cortex XSOAR, and all data will become read-only.

Environment


  • Cortex XSOAR
  • Versions 6.1, 6.2, 6.5, 6.6, 6.8, 6.9, 6.10

Cause


Exceeding the maximum percentage of disk space usage allowed by Elastiscsearch.

Resolution


There are three options available to reduce space usage:
  1. Archive data.
  2. Increase disk space on existing data nodes.
  3. Add additional data nodes.

Additional Information


Note: Customers choose their own versions/vendors for Elasticsearch deployment. Palo Alto Support do not provide support for the actual Elasticsearch deployment. The article just points to the things that can be checked
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NKICA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail