I am using Wazuh 4.7.3-1, but I forgot to configure the index management (ILM), so I encounter the typical error message ‘cluster currently has [1000]/[1000] maximum shards open)’. Obviously this situation lasted for 3 weeks. As a quick fix, I deleted some old indexes from the early days of the server and it started working again as soon as new data arrived.
The thing is, I need to have the data from those 3 weeks in the system.