Briefly, this error occurs when the Grok processor in Elasticsearch reaches its maximum recursion depth while parsing a document. This usually happens when there are deeply nested fields or a complex regular expression. To resolve this issue, you can simplify your regular expressions or reduce the depth of your nested fields. Alternatively, you can increase the maximum recursion depth, but this may impact performance and memory usage. It’s also important to ensure that your data is correctly formatted and doesn’t contain any unexpected or erroneous nested structures.
This guide will help you check for common problems that cause the log ” [{}] exited grok discovery early; reached max depth [{}] ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin, discovery.
Overview
The process known as discovery occurs when an Elasticsearch node starts, restarts or loses contact with the master node for any reason. In those cases, the node needs to contact other nodes in the cluster to find any existing master node or initiate the election of a new master node.
How it works
Upon startup, each node looks for other nodes, firstly by contacting the IP addresses of eligible master nodes held in the previous cluster state. If they are not available, it will look for nodes based upon the seed host provider mechanisms available.
Seed host providers may be defined in 3 ways: list based, file based or plugin based. All of these methods provide a list of IP addresses or hostnames which the node should contact in order to obtain a list of master eligible nodes. The node will contact all of these addresses in turn, until either an active master is found, or failing that, until sufficient nodes can be found to elect a new master node.
Examples
The simplest form is to define a list of seed host providers in elasticsearch.yml:
discovery.seed_hosts: - 192.168.1.10:9300 - 192.168.1.11 - seeds.mydomain.com
An alternative way is to refer to a file using the following setting:
discovery.seed_providers: file
The file MUST be placed in the following filepath: $ES_PATH_CONF/unicast_hosts.txt
10.10.10.5 10.10.10.6:9305 10.10.10.5:10005 # an IPv6 address [2001:0db8:85a3:0000:0000:8a2e:0370:7334]:9301
Note that the use of a port is optional. If not used, then the default port range of 9300-9400 will be used.
If you use AWS or GCS then you can install and use a plugin to obtain a list of seed hosts from an API. A plugin also exists for Azure but is deprecated since version 5.
AWS plugin
A typical configuration could be as follows:
discovery.seed_providers: ec2 discovery.ec2.tag.role: master discovery.ec2.tag.environment: dev discovery.ec2.endpoint: ec2.us-east-1.amazonaws.com cloud.node.auto_attributes: true cluster.routing.allocation.awareness.attributes: aws_availability_zone
The above configuration would look for all nodes with a tag called “environment” set to “dev” and a tag called “role” set to “master”, in the AWS zone us-east-1. The last two lines set up cluster routing allocation awareness based upon aws availability zones. (Not necessary, but nice to have).
GCE plugin
A typical configuration could be as follows:
discovery.seed_providers: gce cloud.gce.project_id: <your-google-project-id> cloud.gce.zone: <your-zone> discovery.gce.tags: <my-tag-name>
The above configuration would look for all virtual machines inside your project, zone and with a tag set to the tag name you provide.
Notes and good things to know
Cluster formation depends on correct setup of the network.host settings in elasticsearch.yml. Make sure that the nodes can reach each other across the network using their IP addresses / hostname, and are not getting blocked due to firewall settings on the ports required.
Log Context
Log “[{}] exited grok discovery early; reached max depth [{}]” classname is GrokPatternCreator.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
} } if (bestCandidate == null || numRecurse >= MAX_RECURSE_DEPTH) { if (bestCandidate != null) { logger.warn("[{}] exited grok discovery early; reached max depth [{}]"; jobId; MAX_RECURSE_DEPTH); } if (isLast) { overallGrokPatternBuilder.append(".*"); } else if (isFirst || mustMatchStrings.stream().anyMatch(String::isEmpty)) { overallGrokPatternBuilder.append(".*?");
[ratemypost]