How to fix unassigned shard.

[DCraigRich]

Version

2.4.190

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

1 socket 16 cores

RAM

48GB

Storage for /

960GB

Storage for /nsm

10TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Elastic Search is in a failed state. I see an unassigned shard and am not sure how to fix:
_cat/shards?v=true&h=index,shard,prirep,state,unassigned.reason&s=state'

index shard prirep state unassigned.reason
.ds-logs-soc-so-2025.10.11-000001 0 p UNASSIGNED CLUSTER_RECOVERED

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

What does this show? sudo so-elasticsearch-query _cluster/allocation/explain?pretty

[DCraigRich]

Looks like it is corrupt or stale:

[root@seconion10 secadmin]# sudo so-elasticsearch-query _cluster/allocation/explain?pretty
{
"note" : "No shard was specified in the explain API request, so this response explains a randomly chosen unassigned shard. There may be other unassigned shards in this cluster which cannot be assigned for different reasons. It may not be possible to assign this shard until one of the other shards is assigned correctly. To explain the allocation of other shards (whether assigned or unassigned) you must specify the target shard in the request to this API. See https://www.elastic.co/guide/en/elasticsearch/reference/8.18/cluster-allocation-explain.html for more information.",
"index" : ".ds-logs-soc-so-2025.10.11-000001",
"shard" : 0,
"primary" : true,
"current_state" : "unassigned",
"unassigned_info" : {
"reason" : "CLUSTER_RECOVERED",
"at" : "2025-11-06T13:55:01.073Z",
"last_allocation_status" : "no_valid_shard_copy"
},
"can_allocate" : "no_valid_shard_copy",
"allocate_explanation" : "Elasticsearch can't allocate this shard because all the copies of its data in the cluster are stale or corrupt. Elasticsearch will allocate this shard when a node containing a good copy of its data joins the cluster. If no such node is available, restore this index from a recent snapshot.",
"node_allocation_decisions" : [
{
"node_id" : "7OXBdK6vQFy7b779uXSYgw",
"node_name" : "seconion10",
"transport_address" : "192.168.40.10:9300",
"node_attributes" : {
"ml.config_version" : "12.0.0",
"xpack.installed" : "true",
"transform.config_version" : "10.0.0"
},
"roles" : [
"data",
"data_hot",
"ingest",
"master",
"remote_cluster_client",
"transform"
],
"node_decision" : "no",
"store" : {
"in_sync" : true,
"allocation_id" : "1yV5_3RJRTaFKVVTev3Oxw",
"store_exception" : {
"type" : "corrupt_index_exception",
"reason" : "failed engine (reason: [merge failed]) (resource=preexisting_corruption)",
"caused_by" : {
"type" : "i_o_exception",
"reason" : "failed engine (reason: [merge failed])",
"caused_by" : {
"type" : "corrupt_index_exception",
"reason" : "checksum failed (hardware problem?) : expected=e3f351dd actual=9cf94bc3 (resource=BufferedChecksumIndexInput(MemorySegmentIndexInput(path="/usr/share/elasticsearch/data/indices/6_MbsZVqSLeb4iJVj4RQQg/0/index/_c1io.cfs") [slice=_c1io_Lucene90_0.dvd]))"
}
}
}
}
}
]
}

Thanks

[cm-ops]

If that index is corrupt, you would want to remove it with DELETE. You can do it in Kibana > Stack Management > Index Management or via the CLI with sudo so-elasticsearch-query .ds-logs-soc-so-2025.10.11-000001 -XDELETE

If you get an error that says you cannot delete because that it the write index for the data stream, then use the rollover API first, then delete it. To rollover the data stream - sudo so-elasticsearch-query logs-soc-so/_rollover -XPOST

[DCraigRich]

This fixed my problem. Thanks!