this cluster currently has [1000]/[1000] maximum shards open

[dp466]

Hi All!

ive seen this issue on the standard deployment but not via Docker

i get the following error from the Dashboard container: An OpenSearch Dashboards keystore already exists. Overwrite? [y/N] Created OpenSearch Dashboards keystore in /usr/share/wazuh-dashboard/config/opensearch_dashboards.keystore FATAL {"error":{"root_cause":[{"type":"validation_exception","reason":"Validation Failed: 1: this action would add [2] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}],"type":"validation_exception","reason":"Validation Failed: 1: this action would add [2] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"},"status":400}

i dont know how to fix that issue

[soundmountain]

As a temporary fix you can increase the amount of shards. exec into to the shell of wazuh-indexer and then run this command (change user and pw accordingly): curl -u admin:SecretPassword -X PUT https://localhost:9200/_cluster/settings -H "Content-Type: application/json" -d '{ "persistent": { "cluster.max_shards_per_node": "3000" } }' -k after that i suggest you look at the documentation https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html and configure a retention policy and apply it to your indices otherwise the same problem will occur later down the road once 3000 shards are open.