elasticsearch 6 index change to read only after few second

elasticsearch index read-only
elasticsearch undo read only
elasticsearch settings read only
elasticsearch unset read only
reset the read-only index block
metricbeat index read only
elasticsearch blocked by forbidden read only
index must be read only to resize index

I want to use elasticsearch 6 on mac os but when I create an index by adding a document to none exist index after few second index change to read-only and if add document or update document give this error

"error" : {
    "root_cause" : [
        "type" : "cluster_block_exception",
        "reason" : "blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];"
    "type" : "cluster_block_exception",
    "reason" : "blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];"
  "status" : 403

I test to disable read only by

curl -H'Content-Type: application/json' -XPUT localhost:9200/test/_settings?pretty -d'
    "index": {
        "blocks.read_only": false
  "acknowledged" : true

but nothing change

I test elastic 6 on another system with ubuntu os it's ok and there is no error then I think maybe something wrong with my system but elasticsearch 5.6.2 works correctly without any error

the elastic log is

[2018-01-05T21:56:52,254][WARN ][o.e.c.r.a.DiskThresholdMonitor] [gCjouly] flood stage disk watermark [95%] exceeded on [gCjoulysTFy1DDU7f7dOWQ][gCjouly][/Users/peter/Downloads/elasticsearch-6.1.1/data/nodes/0] free: 15.7gb[3.3%], all indices on this node will marked read-only

I had this problem I think in elastic 6 add new setting to close index when empty hard less than 5% you can disable this by below line in elasticsearch.yml

 cluster.routing.allocation.disk.threshold_enabled: false

Then restart elasticsearch. I hope this work for you

Kibana stays read only when ES high disk watermark has been , Kibana version: 6.0.0-beta1 Elasticsearch version: 6.0.0-beta1 Kibana stays read only when ES high disk watermark has been ELK 6, cleared half the drive still read-only, logstash is allowed to write again, kibana remained read-only hundreds of indices, while setting on 'all' takes only a few seconds. A snapshot contains a copy of the on-disk data structures that make up an index. This means that snapshots can only be restored to versions of Elasticsearch that can read the indices: A snapshot of an index created in 5.x can be restored to 6.x. A snapshot of an index created in 2.x can be restored to 5.x.

Convenience for copy/pasting into Kibana console

# disable threshold alert
PUT /_cluster/settings
  "persistent" : {
        "cluster.routing.allocation.disk.threshold_enabled" : false

# unlock indices from read-only state
PUT /_all/_settings
  "index.blocks.read_only_allow_delete": null

How to fix Elasticsearch 'FORBIDDEN/12/index read-only', By default, Elasticsearch installed with homebrew on Mac OS goes into read-only mode when you have less than 5% of free disk space. This section discusses the changes that you need to be aware of when migrating your application to Elasticsearch 7.0. See also Release highlights and Release notes. Elasticsearch 7.0 can read indices created in version 6.0 or above. An Elasticsearch 7.0 node will not start in the presence of indices created in a version of Elasticsearch before 6.0.

If you are working in with elastic search in Docker, it's possible that Docker has run out of space. Either run docker volume prune to remove unused local volumes or increase your disk image size in Docker Preferences.

Elasticsearch read-only after upgrade (6.2.0 -> 6.3.0), I upgraded elasticsearch, kibana and logstash this morning, which seems to [​ClusterBlockException[blocked by: [FORBIDDEN/12/index read-only / allow I'm seeing quite a few "version mismatch" errors which I find strange - yum info installed From repo : elasticsearch-6.x Summary : Elasticsearch is a  Force-merge read-only indicesedit. Indices that are read-only may benefit from being merged down to a single segment. This is typically the case with time-based indices: only the index for the current time frame is getting new documents while older indices are read-only.

FORBIDDEN/12/index read-only - Elasticsearch, I often encounter the following error when i insert documents to my 'blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];') one of the following, i index successfully some docs, but again after a while i see the same error. open .monitoring-kibana-6-2020.01.12 UqZsn-A9QJyfKUZfRkWfEw  The index must not contain more than 2,147,483,519 documents in total across all shards that will be shrunk into a single shard on the target index as this is the maximum number of docs that can fit into a single shard. The node handling the shrink process must have sufficient free disk space to accommodate a second copy of the existing index.

High flood state disk watermark results in read only indexes , Although ES node data take only 130MB, all indexes inluding the .kibana are marked as Changing flags in the following way does not help because the ES returns them back in a few seconds. See https://www.elastic.co/guide/en/​elasticsearch/reference/current/disk-allocator.html for the configuration. Hi In our current setup, we're scraping a site every day and indexing the results, basically overwriting the same data over and over again, every 24 hours. Since I know the index is going to be read-only for 24 hours and I can see a large number (100+) segments with a lot of deleted docs, I thought forcemerge might benefit us after every scrape is done. But the documentation states

Indexes becoming read-only before deflector is moved, Hello, After our upgrade from Elasticsearch 5.x to 6.x and Graylog 2.x to 2.5.1 (I can't read-only before the deflector is moved when a new index is created. ElasticsearchException: Couldn't switch alias eku_fw_deflector from They were online and ready to use in less than a single second each time. Hello, we're currently on Elasticsearch 6.3.2 with the log sources sending their data to Elasticsearch via Logstash. I've recently noticed that Elasticsearch doesn't seem to be indexing anywhere near the number of documents it should be; for example our Winlogbeat index used to receive over 200,000 logs per 15 minutes and our syslog index used to receive about 700,000 logs per 15 minutes

  • Yes thank you, finally!! I set this via the REST api as a persistent setting and now elasticsearch seems to obey.
  • For those on a Mac, /usr/local/etc/elasticsearch/elasticsearch.yml
  • This is a great finding, thanks for the contribution