Briefly, this error occurs when Elasticsearch fails to process a bulk request due to reasons like exceeding the index size limit, insufficient memory, or incorrect data format. To resolve this, you can increase the index size limit or allocate more memory to Elasticsearch. Also, ensure the data format is correct and compatible with Elasticsearch. Additionally, consider breaking down large bulk requests into smaller ones to avoid overwhelming the system.
This guide will help you check for common problems that cause the log ” unable to process bulk failure ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: bulk, delete, delete-by-query, deletebyquery and plugins.
Overview
In Elasticsearch, when using the Bulk API it is possible to perform many write operations in a single API call, which increases the indexing speed. Using the Bulk API is more efficient than sending multiple separate requests. This can be done for the following four actions:
- Index
- Update
- Create
- Delete
Examples
The bulk request below will index a document, delete another document, and update an existing document.
POST _bulk
{ "index" : { "_index" : "myindex", "_id" : "1" } }
{ "field1" : "value" }
{ "delete" : { "_index" : "myindex", "_id" : "2" } }
{ "update" : {"_id" : "1", "_index" : "myindex"} }
{ "doc" : {"field2" : "value5"} }Notes
- Bulk API is useful when you need to index data streams that can be queued up and indexed in batches of hundreds or thousands, such as logs.
- There is no correct number of actions or limits to perform on a single bulk call, but you will need to figure out the optimum number by experimentation, given the cluster size, number of nodes, hardware specs etc.
Overview
DELETE is an Elasticsearch API which removes a document from a specific index. This API requires an index name and _id document to delete the document.
Delete a document
DELETE /my_index/_doc/1
Notes
- A delete request throws 404 error code if the document does not already exist in the index.
- If you want to delete a set of documents that matches a query, you need to use delete by query API.
Overview
Delete-by-query is an Elasticsearch API, which was introduced in version 5.0 and provides functionality to delete all documents that match the provided query. In lower versions, users had to install the Delete-By-Query plugin and use the DELETE /_query endpoint for this same use case.
What it is used for
This API is used for deleting all the documents from indices based on a query. Once the query is executed, Elasticsearch runs the process in the background to delete all the matching documents so you don’t have to wait for the process to be completed.
Examples
Delete all the documents of an index without deleting the mapping and settings:
POST /my_index/_delete_by_query?conflicts=proceed&pretty
{
"query": {
"match_all": {}
}
}The conflict parameter in the request is used to proceed with the request even in the case of version conflicts for some documents. The default conflict behavior is to abort the request altogether.
Notes
- A long-running delete_by_query can be terminated using _task API.
- Inside the query body, you can use the same syntax for queries that are available under the _search API.
Common problems
Elasticsearch takes a snapshot of the index when you hit delete by query request and uses the _version of the documents to process the request. If a document gets updated in the meantime, it will result in a version conflict error and the delete operation will fail.
Log Context
Log “unable to process bulk failure” classname is TransportDeleteByQueryAction.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
}
logger.trace("scrolling document terminated due to scroll request failure [{}]"; scrollId);
finishHim(scrollId; hasTimedOut(); failure);
} catch (Throwable t) {
logger.error("unable to process bulk failure"; t);
finishHim(scrollId; false; t);
}
}
void finishHim(final String scrollId; boolean scrollTimedOut; Throwable failure) {
[ratemypost]
