The all shards failed error means every shard in your search request returned a failure, usually due to bad queries, mapping issues, or cluster problems.
What The All Shards Failed Error Really Means
Elasticsearch and OpenSearch split index data into pieces called shards. Each search or aggregation runs against those shards in parallel, and the results are merged into a single response. When the message all shards failed appears, it means none of the shards involved in the request could return a valid answer.
This message usually comes wrapped inside a search_phase_execution_exception in the response body or logs. The stack trace often lists individual shard reasons such as query parsing errors, mapping conflicts, missing fields, or timeouts. That detail matters more than the headline error, because the headline only tells you that every shard failed, not why it happened.
From the cluster point of view, this error does not always mean your data is gone. Shards might be temporarily unavailable, overloaded, or rejecting the specific operation you tried, such as an aggregation on the wrong field type. Many cases come down to query shape, index mapping, or resource pressure, not permanent damage.
Elastic’s own error reference for this message points to patterns such as unsupported aggregations on text fields, metric aggregations on fields with the wrong type, failed shard recovery, and misused global or reverse_nested aggregations. Understanding which of these fits your case is the quickest route to a real fix.
When All Index Shards Fail In Elasticsearch
In day to day work, the error tends to appear in a few familiar situations. A dashboard load throws a red error bar, an application log shows a failed search request, or a bulk query job stops and reports that the response from the search backend could not be parsed. In each of these cases, the cluster tried to touch every shard behind the index pattern you used, and every one of those shards reported a failure.
The JSON response usually includes an error.root_cause section with a type and message. You might see messages about field data being too large, unsupported operations on text fields, circuit breakers, or shard recovery problems. These clues tell you whether you are dealing with a query level issue, a mapping issue, or a node and storage level issue.
Sometimes the error appears only for one index pattern or one dashboard. That often points to a field or mapping that changed over time, so older shards still hold data with one structure while newer shards use another. In other cases, the error fires across many indices at once, which is a strong hint that cluster health, heavy queries, or resource limits are in play.
Common Causes Behind This Search Error
Unsupported Aggregations On Text Fields
One of the most frequent triggers is an aggregation or sort on a text field. Text fields are built for full text search, not exact value operations. Sorting or aggregating on them forces field data to be loaded into memory and, in many cases, the engine refuses the request and marks the shard as failed. The fix is to use a .keyword subfield or change the mapping to use a keyword type where exact values are needed.
This group also includes metric aggregations on fields that hold text, global aggregations placed at the wrong level in the aggregation tree, and reverse_nested aggregations used outside a nested context. Each of these mistakes can cause every shard touched by the query to fail in the same way.
Mapping And Type Problems
Another common source of trouble is a request that assumes a certain type for a field that now holds different data. A script that parses an integer from a field that contains non numeric text, or a range query against a field that was stored as text, can cause shard level failures. When the same mistake appears across all relevant indices, the result is the same error on every shard.
Shard Allocation, Node Health, And Storage Limits
If nodes are down, disks are full, or shard allocation rules prevent shards from starting, some or all shards for an index may stay unassigned. Queries that hit those shards fail because there is no active copy to answer. Cluster health moving to yellow or red is a warning sign here. When every shard for the request is unassigned or stuck, the search layer returns the error instead of partial data.
Issues during shard recovery sit in the same family. A shard that keeps failing while it recovers from a snapshot or from another node can stay unavailable even though the index still appears in listings. Search traffic that lands on that shard will fail until recovery problems are solved or the index is rebuilt.
Heavy Queries, Timeouts, And Circuit Breakers
Large aggregations, deep pagination, or many open scrolls can place heavy load on nodes. When shards take too long, hit memory limits, or trip circuit breakers, they can respond with errors instead of results. If each shard in the request hits similar limits, the combined effect is the same error message. Longer term, query tuning and better index design give far more relief than simply raising timeouts.
Closed, Frozen, Or Read Only Indices
If an index is closed, frozen, or marked read only due to disk watermarks, shards behind that index may reject some operations. A search that includes those indices can then fail on every shard that matches the pattern. Checking index state and disk thresholds is a fast way to confirm this path.
Authentication And Authorization Errors
Some stacks route Elasticsearch through proxies or security layers that enforce permissions at index or field level. When a query touches indices the caller is not allowed to read, or uses features that the security layer blocks, shards can fail with access errors. If the same restriction hits every shard that matches the pattern, the final response looks like a cluster wide failure even though the cluster itself is healthy.
| Cause | Typical Symptom | First Check |
|---|---|---|
| Aggregation on text field | Error about field data or unsupported operation | Inspect field mapping and use .keyword where needed |
| Shard allocation or node outage | Cluster health yellow or red, unassigned shards | Call GET _cluster/health and GET _cat/shards |
| Heavy query or timeout | Slow response, circuit breaker messages | Review query, limits, and node memory use |
Step By Step Fixes To Clear The Error
Solving this problem always starts with reproducing it in a controlled way. Run the query from Dev Tools or curl, capture the full JSON response, and confirm which indices and shards are involved. Once you have that snapshot, you can follow a clear checklist instead of guessing.
- Check cluster health — Run
GET _cluster/healthand confirm the status, number of nodes, and count of unassigned shards. - List shard status — Use
GET _cat/shards?vto see which shards are started, relocating, or unassigned, and which nodes they sit on. - Re run the failing query — Execute the same search with
?pretty=trueso you can read thefailed_shardsarray and error reasons. - Fix mapping issues — When errors point at text fields in aggregations or metric operations, switch to a
.keywordsubfield or change the mapping to a numeric type. - Adjust index and shard state — If shards are unassigned, check disk watermarks, allocation filters, and node availability, then bring nodes back or update settings so shards can start.
- Tune heavy queries — Simplify aggregations, reduce the number of buckets, avoid deep pagination, and replace large scrolls with search after patterns where possible.
- Watch logs while testing — Tail Elasticsearch logs during each change so you can see new errors or warnings right away.
Reading Logs And Responses For Clues
The most specific hints often live in the failed_shards section of the response or in server logs. Each entry usually lists the index, shard number, node, error type, and message. Reading several of these together shows whether one shard is an outlier or whether the same pattern appears across all of them.
Logs can also reveal repeated circuit breaker trips, garbage collection pressure, or storage errors. When the same search path keeps pushing memory or disk near limits, the cluster protects itself by failing shards instead of allowing a full crash. Matching timestamps across logs and user reports helps tie the error to traffic spikes, new dashboards, or recent configuration changes.
For persistent problems, many teams create a small saved search that filters logs for shard failures, query parse errors, and circuit breaker messages. That view acts as an early warning board so shard issues show up before dashboards and applications begin to fail loudly.
Preventing Repeated Shard Failures
Once the immediate fire is out, spend some time on the patterns that brought you there. A handful of habits go a long way toward avoiding the same situation again with another index or dashboard.
Start with index and field design. Every field that needs sorting, grouping, or joins should use a keyword or numeric type, not plain text. For mixed content, multi fields with both text and keyword variants let you keep flexible search while still allowing safe aggregations. Clear naming makes it easier for query builders and dashboard authors to pick the right variant.
Then review shard and node sizing. Too many small shards create overhead, while a few oversized shards can overload single nodes. Use index templates and lifecycle policies that keep shard counts per node in a healthy range and move older indices to less busy nodes when they no longer receive heavy traffic.
It also helps to add regular checks into your operations routine. Simple scheduled calls to _cluster/health, _cat/shards, and key dashboards can warn you long before shard failures hit users. Alerting on yellow or red cluster states, unassigned shards, and repeated circuit breaker messages keeps the cluster in shape.
Finally, treat this kind of incident as feedback on both your cluster and your query patterns. Each time it happens, log the cause, the fix, and the change that prevented a repeat. Over time, that record turns into a practical runbook for your team and keeps search features reliable even as new data and dashboards come online.