{"id":44,"date":"2015-02-20T19:45:01","date_gmt":"2015-02-20T19:45:01","guid":{"rendered":"http:\/\/svops.com\/blog\/?p=44"},"modified":"2015-08-28T20:29:59","modified_gmt":"2015-08-28T20:29:59","slug":"elasticsearch-best-practices","status":"publish","type":"post","link":"http:\/\/svops.com\/blog\/elasticsearch-best-practices\/","title":{"rendered":"Elasticsearch best practices"},"content":{"rendered":"

Don’t forget to check out the Logstash best practices<\/a>, too.<\/p>\n

Memory<\/h2>\n

Give elasticsearch half of your system’s RAM, up to 32GB.<\/p>\n

Make sure the allocated memory doesn’t get swapped out by using mlockall. \u00a0In your config\/elasticsearch.yml, add:<\/p>\n

bootstrap.mlockall: true<\/span><\/pre>\n
You may need to allow this as part of the startup by running<\/span><\/p>\n
ulimit -l unlimited<\/pre>\n
On (at least) centos6, you can have this run for you in the init.d script by adding this line to \/etc\/sysconfig\/elasticsearch:<\/p>\n
MAX_LOCKED_MEMORY=unlimited<\/span><\/pre>\n
For centos7, edit\u00a0\/usr\/lib\/systemd\/system\/elasticsearch.service:<\/p>\n
LimitMEMLOCK=infinity<\/pre>\n
After restarting, confirm the setting is correct in elasticsearch:<\/p>\n
curl http<\/span>:\/\/<\/span>localhost<\/span>:<\/span>9200<\/span>\/<\/span>_nodes<\/span>\/<\/span>process<\/span>?<\/span>pretty<\/span><\/pre>\n
Index Names<\/h2>\n
Use an index for each day. \u00a0There are only two ways to delete data in elasticsearch, and using curator against daily indexes is the right one.<\/p>\n
Note that this is the default from logstash.<\/p>\n
Run an odd number of nodes<\/h2>\n
This will prevent the split-brain problem.<\/p>\n
Run at least three nodes<\/h2>\n
With one replica (two copies), using three nodes will give you an I\/O boost.<\/p>\n
Adjust the Mapping<\/h2>\n
Elasticsearch supports many different field types, and you should use the appropriate one for each field.<\/p>\n
By using ‘int’, you can use comparisons (“http_status:>500”) or ranges (“http_status:[400 TO 499]”). \u00a0Other field types give similar benefits of just using strings.<\/p>\n","protected":false},"excerpt":{"rendered":"
Don’t forget to check out the Logstash best practices, too. Memory Give elasticsearch half of your system’s RAM, up to 32GB. Make sure the allocated memory doesn’t get swapped out by using mlockall. \u00a0In your config\/elasticsearch.yml, add: bootstrap.mlockall: true You … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[11],"tags":[],"_links":{"self":[{"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/posts\/44"}],"collection":[{"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/comments?post=44"}],"version-history":[{"count":5,"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/posts\/44\/revisions"}],"predecessor-version":[{"id":137,"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/posts\/44\/revisions\/137"}],"wp:attachment":[{"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/media?parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/categories?post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/svops.com\/blog\/wp-json\/wp\/v2\/tags?post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}