Determining the node with maximum data

You can use the following PATROL for Elasticsearch metric to check which node has more data as compared to other nodes.

Store size share

Store size share of a node helps us understand if the server is making use of all the memory. If the store size of a specific node is more, it indicates that the store size of some nodes is not utilized properly on the cluster. For more information about this attribute, see Store size share attribute page.

Set a threshold on this attribute to get notified about the share of node’s store size out of aggregate size across all nodes in a cluster. Consider setting up an alert to trigger if the store size share is high. The KM generates an alarm and triggers an event when the threshold values are met. 

Suggested action

The KM event indicates that you might want to check the disk space of the node that is running the Elasticsearch service. You can either increase the store size or recheck the disk allocation of the nodes. 

Where to go from here

Using the TrueSight console, you can adjust the thresholds ranges for these monitoring attributes with the Agent Threshold tab in the Infrastructure Policies page. For more information see, Defining a monitoring policy.