Elasticsearch Cluster Red Status — Unassigned Shards and Data Loss Risk
About Elasticsearch Cluster Red Status
Fix Elasticsearch cluster red health status caused by unassigned primary shards, node failures, or insufficient disk space preventing data availability. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: Elasticsearch cluster health: green (all shards assigned), yellow (replicas unassigned), red (primary shards unassigned). Red status means some data is unavailable because primary shards are not assigned to any node. This typically happens when nodes leave the cluster and their primary shards have no replicas. Unassigned shards can be caused by disk space, node failures, or allocation rules. Red status affects only the indices with unassigned primary shards — other indices may still work. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Node crashed or was removed from the cluster and it held the only copy of some primary shards. Disk usage exceeded the flood_stage watermark (95% by default), blocking shard allocation. Shard allocation rules preventing shards from being placed on available nodes. Corrupted index preventing shard recovery on node restart. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Check cluster health: curl -XGET 'localhost:9200/_cluster/health?pretty'. Find unassigned shards: curl -XGET 'localhost:9200/_cat/shards?v&h=index,shard,prirep,state,unassigned.reason'. Check allocation explanation: curl -XGET 'localhost:9200/_cluster/allocation/explain?pretty'. Free disk space if above watermark: delete old indices or increase disk capacity on nodes. Restart failed nodes and allow shard recovery to complete before taking further action. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Is red status an emergency?
Red means some data is unavailable. If those are critical indices, yes, it is urgent. If they are old logs you can recreate, it is less urgent. The priority is to get primary shards assigned — check unassigned.reason for the fix.
Overview
Fix Elasticsearch cluster red health status caused by unassigned primary shards, node failures, or insufficient disk space preventing data availability.
Key Details
- Elasticsearch cluster health: green (all shards assigned), yellow (replicas unassigned), red (primary shards unassigned)
- Red status means some data is unavailable because primary shards are not assigned to any node
- This typically happens when nodes leave the cluster and their primary shards have no replicas
- Unassigned shards can be caused by disk space, node failures, or allocation rules
- Red status affects only the indices with unassigned primary shards — other indices may still work
Common Causes
- Node crashed or was removed from the cluster and it held the only copy of some primary shards
- Disk usage exceeded the flood_stage watermark (95% by default), blocking shard allocation
- Shard allocation rules preventing shards from being placed on available nodes
- Corrupted index preventing shard recovery on node restart
Steps
- 1Check cluster health: curl -XGET 'localhost:9200/_cluster/health?pretty'
- 2Find unassigned shards: curl -XGET 'localhost:9200/_cat/shards?v&h=index,shard,prirep,state,unassigned.reason'
- 3Check allocation explanation: curl -XGET 'localhost:9200/_cluster/allocation/explain?pretty'
- 4Free disk space if above watermark: delete old indices or increase disk capacity on nodes
- 5Restart failed nodes and allow shard recovery to complete before taking further action