Maintain Elasticsearch


Check the /var/log/elasticsearch/elasticsearch.log and /var/log/elasticsearch/elasticsearch_server.json log files for non-INFO messages:

grep -v INFO /var/log/elasticsearch/elasticsearch.log /var/log/elasticsearch/elasticsearch_server.json

Check the log files in the /var/log/elasticsearch directory, including:

  • elasticsearch_deprecation.log

  • elasticsearch_deprecation.json

Errors are logged in /var/log/elasticsearch/elasticsearch.log, for example:

  • “All shards failed for phase: [query]”, often followed by:

    • Failed to parse query [query]

    • Cannot parse ‘query

    • Failed to execute [SearchRequest{ … “query”:”query” … }]


/etc/elasticsearch/ configures a log file rotation strategy of:

appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB

To change to a 7-day rotation strategy, update this repository to replace this with:

appender.rolling.strategy.action.condition.nested_condition.type = IfLastModified
appender.rolling.strategy.action.condition.nested_condition.age = 7D

Manage data

One-time setup

Set the password of the manage user of the service in a ~/.netrc file.

List indices:

curl -n

List base URLs in a given index, for example:

curl -n -X GET '' \
--json '{"aggs": {"base_urls": {"terms": {"field": "base_url", "size": 10000}}}}'

Delete documents matching a base URL:

curl -n -X POST '' \
--json '{"query": {"term": {"base_url": ""}}}'

Expire documents using OCDS Index (pip install ocdsindex):

ocdsindex expire --exclude-file=ocdsindex-exclude.txt

Search documents in a given index matching a base URL, for example:

curl -n -X GET '' \
--json '{"query": {"term": {"base_url": ""}}}'

List users’ queries:

zgrep -Eoh "q=[^&]+&" /var/log/apache2/* | grep -v '=test&' | grep -v '=tender&' | sort



Before upgrading Elasticsearch, check that all plugins (below) support the new version.


OCDS Index supports Elasticsearch 7.x only.

  1. Connect to the server as the root user.

  2. Perform any outstanding updates:

    apt-get update && apt-get dist-upgrade
  3. Update Elasticsearch (the Elasticsearch package is held to prevent accidental updates):

    apt-mark unhold elasticsearch
    apt-get update && apt-get dist-upgrade
    apt-mark hold elasticsearch
  4. Update plugins, as described below.

  5. Test Elasticsearch is working.

    1. Check that the service is running without errors.

      systemctl status elasticsearch
    2. Test the site search works.


If the ReadOnlyREST plugin is used:

  1. Check the changelog for a new version of ReadOnlyREST. Note which versions of Elasticsearch are supported.

  2. In the server’s Pillar file, set elasticsearch.plugins.readonlyrest.version to the version of ReadOnlyREST to install, and set elasticsearch.version to the already installed version of Elasticsearch:

    dpkg-query --show elasticsearch
  3. Stop Elasticsearch, for example:

    systemctl stop elasticsearch
  4. Uninstall ReadOnlyREST, for example:

    /usr/share/elasticsearch/bin/elasticsearch-plugin remove readonlyrest
  5. Deploy the service

Reference: Upgrading the plugin