Elasticsearch Integration for Stack Monitoring fails

Good day,

im running an ELK Stack version 8.17.7 with several Elastic-Agents.

Problem

Since the update from 8.17.6 to 8.17.7, self monitoring is no longer functional. Hence the idea to feed the stack monitoring with the “Elasticsearch” integration (as recommended in the instructions).

Configuration

I followed the instructions, create a new user with the privileges from the instructions and adjusted the necessary configurations (information redacted):

• Hosts: https[:]//IP:9200
• Username: monitoring-user
• Password: user-password
• Scope: node
• SSL-Configuration: ...

Error

If I now want to add the integration to my existing Fleet Policy, I get the following error:

Error installing elasticsearch 1.19.0: search_phase_execution_exception Caused by: search_phase_execution_exception: Search rejected due to missing shards [[.transform-internal-007][0]]. Consider using 'allow_partial_search_results' setting to bypass this error.

The index that appears here in the error is created by the integration.

According to Dev Tools this is UNASSIGNED:

GET _cat/shards/.transform-internal-007?v

.transform-internal-007 0 p UNASSIGNED

Questions

• Do I have to activate anything else in the elasticsearch.yml configuration?
• Are the authorizations according to the instructions not sufficient?
• I tried to set the allow_partial_search_results as cluster setting, but it was no possible.

Any ideas?

Hello @g_ourmet

Welcome to the community.

Could you please check why the shard was not allocated, disk issue / node issue?

GET /.transform-internal-007/_ilm/explain?

Thanks!!

Hi @g_ourmet

Make sure you have the to latest integration the latest version.

It installs a transform and I believe you may need to start it by hand or it will start if you basically reinstall or redeploy the integration on to and agent

Oh I see you see that

You need to check the allocation of that shard and find out why it's not allocated.

See here