Handling the Dynamic Pruning Failure in Cardinality Aggregations in Elasticsearch

[post-views]
December 03, 2024 · 2 min read
Handling the Dynamic Pruning Failure in Cardinality Aggregations in Elasticsearch

When working with Elasticsearch, you may encounter the following error during complex queries involving cardinality aggregations:

Failed when performing dynamic pruning in cardinality aggregation. 
You can set cluster setting
[search.dynamic_pruning.cardinality_aggregation.max_allowed_cardinality]
to 0 to disable.

This error typically occurs when Elasticsearch’s dynamic pruning mechanism, designed to optimize aggregation queries, struggles to handle high cardinality (i.e., a large number of unique terms or values). Let’s dive into what this means and how to resolve it.

Why Does This Error Occur?

The error indicates that Elasticsearch encountered difficulties applying dynamic pruning due to excessively high cardinality in the aggregation. By default, Elasticsearch imposes limits to prevent overwhelming system resources. If this limit is exceeded, the query fails, and the error message appears.

How to Resolve the Issue

Option 1: Disable Dynamic Pruning for Cardinality Aggregations
You can disable the dynamic pruning feature for cardinality aggregations by setting the cluster configuration search.dynamic_pruning.cardinality_aggregation.max_allowed_cardinality to 0. This ensures that Elasticsearch bypasses dynamic pruning for these queries.

Example Request:

PUT /_cluster/settings
{
  "persistent": {
    "search.dynamic_pruning.cardinality_aggregation.max_allowed_cardinality": 0
  }
}
  • Persistent Setting: This configuration will persist across cluster restarts.
  • Effect: Disabling pruning may increase resource usage but avoids query failures.

Option 2: Fine-Tune the Maximum Allowed Cardinality
Instead of disabling pruning entirely, you can increase the maximum allowed cardinality value to handle larger datasets. This is done by setting search.dynamic_pruning.cardinality_aggregation.max_allowed_cardinality to a higher value.

Example Request:

PUT /_cluster/settings
{
  "persistent": {
    "search.dynamic_pruning.cardinality_aggregation.max_allowed_cardinality": 100000
  }
}
  • Effect: Allows pruning for datasets with cardinality up to 100,000. Choose a value appropriate for your use case and resources.

Best Practices

  • Monitor Performance: Disabling or increasing the cardinality limit can lead to higher memory and CPU usage. Monitor your cluster to ensure it operates within acceptable limits.
  • Optimize Queries: Reduce the number of fields or terms involved in cardinality aggregations, or consider using filters to narrow down the dataset.
  • Upgrade Elasticsearch: If you consistently encounter this issue, ensure you’re using the latest version of Elasticsearch, as improvements to dynamic pruning may have been introduced.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts