Migrate elasticsearch data from the manager to the search node

[joachim-zauner-epcom]

Version

2.4.150

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

128

Storage for /

98

Storage for /nsm

192

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hi, i want to move the Elasticsearch data from the manager to the search node. As mentioned in the documentation the manager node has the "data" Role after installation. Later on, i installed the search node and added it successful to the grid.
Now i dont want to have the data on the manager and the search node, only at the search node.
But when i remove the role "data" from the configuration of the manager i get an error while starting elasticsearch

fatal exception while booting Elasticsearch
java.lang.IllegalStateException: node does not have the data role but has shard data

At the end of the error there is also a hint "Use 'elasticsearch-node repurpose' tool to clean up"
but i cannot find the tool elasticsearch-node

What are the correct steps to migrate the data from the manager to the search node

thank you in advance
best regards
Joachim

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[robbiemarshall]

You need to migrate off the existing elastic data using the following command via the CLI on your manager node:

sudo so-elasticsearch-query _cluster/settings -d '{"transient": {"cluster.routing.allocation.exclude._ip": "manager_ip" } }' -XPUT

With "manager_ip" being your manager's IP, so "x.x.x.x".

This will probably take some time based on how much elastic data is on your manager. You can check the progress by running:

sudo so-elasticsearch-query _cat/shards

The location of the shards will be on the far right column. Make sure that all the shards have moved from the manager node to the search node.

Once all your data is off the manager, you can now remove the data role from your manager node via SOC per the documentation.

[joachim-zauner-epcom]

Thank you! This worked for me. However i had to change the number_of_replicas to 0 for the elastalert_error index to completley remove all shards from my manager. After that, i removed the data role and now elasticsearch on manager comes up and is running again.
Thanks