Briefly, this error occurs when Elasticsearch fails to store the results of an Event Query Language (EQL) search due to issues like insufficient disk space, incorrect permissions, or network connectivity problems. To resolve this, ensure there’s enough disk space and correct permissions are set for the Elasticsearch data directory. Also, check the network connectivity between Elasticsearch nodes. If the issue persists, consider increasing the timeout value for EQL queries or optimizing your EQL queries for better performance.
This guide will help you check for common problems that cause the log ” failed to store eql search results for [” + searchTask.getExecutionId().getEncoded() + “] ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin, task, search.
Overview
A task is an Elasticsearch operation, which can be any request performed on an Elasticsearch cluster, such as a delete by query request, a search request and so on. Elasticsearch provides a dedicated Task API for the task management which includes various actions, from retrieving the status of current running tasks to canceling any long running task.
Examples
Get all currently running tasks on all nodes of the cluster
Apart from other information, the response of the below request contains task IDs of all the tasks which can be used to get detailed information about the particular task in question.
GET _tasks
Get detailed information of a particular task
Where clQFAL_VRrmnlRyPsu_p8A:1132678759 is the ID of the task in below request
GET _tasks/clQFAL_VRrmnlRyPsu_p8A:1132678759
Get all the current tasks running on particular nodes
GET _tasks?nodes=nodeId1,nodeId2
Cancel a task
Where clQFAL_VRrmnlRyPsu_p8A:1132678759 is the ID of the task in the below request
POST /_tasks/clQFAL_VRrmnlRyPsu_p8A:1132678759/_cancel?pretty
Notes
- The Task API will be most useful when you want to investigate the spike of resource utilization in the cluster or want to cancel an operation.
Overview
Search refers to the searching of documents in an index or multiple indices. The simple search is just a GET API request to the _search endpoint. The search query can either be provided in query string or through a request body.
Examples
When looking for any documents in this index, if search parameters are not provided, every document is a hit and by default 10 hits will be returned.
GET my_documents/_search
A JSON object is returned in response to a search query. A 200 response code means the request was completed successfully.
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 2,
"successful" : 2,
"failed" : 0
},
"hits" : {
"total" : 2,
"max_score" : 1.0,
"hits" : [
...
]
}
}Notes and good things to know
- Distributed search is challenging and every shard of the index needs to be searched for hits, and then those hits are combined into a single sorted list as a final result.
- There are two phases of search: the query phase and the fetch phase.
- In the query phase, the query is executed on each shard locally and top hits are returned to the coordinating node. The coordinating node merges the results and creates a global sorted list.
- In the fetch phase, the coordinating node brings the actual documents for those hit IDs and returns them to the requesting client.
- A coordinating node needs enough memory and CPU in order to handle the fetch phase.
Log Context
Log “failed to store eql search results for [” + searchTask.getExecutionId().getEncoded() + “]” classname is AsyncTaskManagementService.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
)
);
} catch (Exception exc) {
taskManager.unregister(searchTask);
searchTask.onFailure(exc);
logger.error(() -> "failed to store eql search results for [" + searchTask.getExecutionId().getEncoded() + "]"; exc);
}
}
/**
* Adds a self-unregistering listener to a task. It works as a normal listener except it retrieves a partial response and unregister
[ratemypost]
