Level: Critical

Purpose: This alert informs that the MDC tracker cannot write to Elastic Search.

Scenario: The tracker log contains the following: “Failed to write object due to ElasticSearch Status Exception”. Check the reason in exception message.

• “Data too large” - Kibana and/or elastic search service has failed on the esk (elk stack) server
• “failed to parse field” - this indicates an error with agent parsing

Kibana and/or elastic search service has failed on the esk (elk stack) server, usually due to the error message “Data too large”. If error message contains “failed to parse

Resolution: Check if kibana and elastic search service are running. Usually restarting elastic search, even if it's running, followed by kibana, will fix the issue.

Manual Action Steps:

sudo service elasticsearch restart
sudo service kibana restart

Auto Clear: This will auto-clear if the log line “Failed to write object due to ElasticSearch Status Exception” doesn't appear in the tracker logs for more than 30 minutes.