I am experiencing issues in a cluster where I’m using name-%{+YYYY.MM.dd}
style index patterns in combination with Logstash and ISM. This works fine for the most parts, but now and then a batch of older messages gets pushed through the pipeline, causing Logstash to attempt writing to an older index.
When this happens I end up setting a ton of errors like this in the Logstash logs: [INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"cluster_block_exception", "reason"=>"blocked by: [FORBIDDEN/8/index write (api)];"})
I’ve concluded that this is due to the force_merge is adding a write block after it’s run, as per: Actions | Elasticsearch Guide [7.0] | Elastic . Is there any way to have it not being marked as blocking writes? I tried to work around this by adding a read_write action after the force_merge in the ISM policy, but that appears to have done nothing.