Elasticsearch thread pool queue growing: the precursor to rejection
A climbing write or search queue in _cat/thread_pool means a node is receiving work faster than it can complete it. Rejections are the lagging indicator. By the time clients see EsRejectedExecutionException, the cluster is already degraded.
For the write pool, the default queue size is 10000 (ES 7.x+). For search, it is 1000. Sustained write queues above 1000 or search queues above 100 warrant investigation. The management pool is different: even small amounts of sustained queuing mean the master is falling behind on cluster state operations, which blocks allocation, mapping updates, and recovery.
This guide shows how to read the queues, find the root cause, and act before rejection becomes the story.
What this means
Short spikes during bulk ingest or query bursts are normal and drain quickly. Sustained queuing is not.
The write pool handles indexing and bulk operations. The search pool handles queries. The management pool handles internal operations like shard allocation and cluster state application. Management queuing is especially dangerous because cluster state updates are serialized; a backlog blocks recovery and metadata changes.
Queue depth is a point-in-time measurement. Sample every 5-10 seconds to distinguish a burst from a trend.
Rejected counters are cumulative since node startup and do not reset without a node restart. Zero rejections combined with a high queue means the cluster is at the edge. One GC pause, one additional concurrent query, or one merge backlog can push the queue into rejection.
Documentation from ES 6.x referencing bulk rejections refers to write rejections in 7.x+.
flowchart TD
A[Request rate exceeds processing rate] --> B[Thread pool queue grows]
B --> C{Root cause}
C --> D[CPU saturation]
C --> E[Disk I/O bound merges]
C --> F[Old GC pauses]
C --> G[Expensive queries]
C --> H[Master cluster state backlog]
D --> I[Queue fills and rejects]
E --> I
F --> I
G --> I
H --> J[Allocation and metadata stalls]
I --> K[HTTP 429 EsRejectedExecutionException]Common causes
| Cause | What it looks like | First thing to check |
|---|---|---|
| Throughput exceeds node capacity | Queues rise across all data nodes during traffic peaks | _cat/nodes CPU and load |
| Slow storage or merge backlog | Queue growth with rising segment count and merge time | _nodes/stats/indices/merges,segments |
| Expensive queries or aggregations | Search queue spikes on specific nodes, high query latency | Slow log and _tasks for active searches |
| GC pauses freezing execution | Queue grows in bursts aligned with old GC spikes | _nodes/stats/jvm old GC time and heap percent |
| Hot-sharded index | One node queues while others look idle | _cat/shards for asymmetric shard distribution |
| Management pool saturation | Management queue grows with pending tasks backing up | _cluster/pending_tasks and master node heap |
Quick checks
# Thread pool queues and rejections across critical pools
curl -s 'http://localhost:9200/_cat/thread_pool/write,search,get,management?v&h=node_name,name,active,queue,rejected'
# JVM heap and GC behavior
curl -s 'http://localhost:9200/_nodes/stats/jvm?filter_path=nodes.*.jvm.mem,nodes.*.jvm.gc'
# Per-node CPU and load to spot hot nodes
curl -s 'http://localhost:9200/_cat/nodes?v&h=name,heap.percent,cpu,load_1m'
# Expensive queries currently running
curl -s 'http://localhost:9200/_tasks?detailed=true&actions=*search*'
# Cancel a specific expensive search task. Kills in-flight user requests.
curl -X POST 'http://localhost:9200/_tasks/{task_id}/_cancel'
# Threads consuming CPU right now (can add brief overhead; use sparingly on saturated nodes)
curl -s 'http://localhost:9200/_nodes/hot_threads'
# Merge backlog and segment pressure
curl -s 'http://localhost:9200/_nodes/stats/indices/merges,segments'
# Whether the master is falling behind
curl -s 'http://localhost:9200/_cluster/pending_tasks?pretty'
How to diagnose it
- Confirm the queue is sustained, not a burst. Sample every 5-10 seconds. A brief spike that drains in seconds is a burst; a plateau over multiple samples is saturation.
- Identify which pool is affected and on which nodes. Asymmetric queuing across nodes points to hot-spotting.
- Correlate queue growth with CPU, heap, and old GC on the affected nodes. If old GC pauses align with queue jumps, the JVM is the bottleneck. High CPU with low GC means the node is under-provisioned for the workload.
- Check for merge backlog. Rising
segments.countwith highmerges.currentmeans I/O is the constraint. If running ES 7.8+, check_nodes/stats/indexing_pressurefor throttling that backs up the write queue. - Inspect active searches via
_tasksand the slow log. High-cardinality aggregations, scripts, or deep pagination can pin search threads for seconds. - If the management pool is queuing, check
_cluster/pending_tasksand master node resources. Do not restart the master blindly. - Determine if the root cause is capacity exhaustion (needs more resources) or transient blockage (merge storm, pathological query).
Metrics and signals to monitor
| Signal | Why it matters | Warning sign |
|---|---|---|
| Write queue depth | Leading indicator of indexing saturation | Sustained >1000 (default max 10000) |
| Search queue depth | Leading indicator of query saturation | Sustained >100 (default max 1000) |
| Management queue depth | Master cannot process cluster state changes | Any sustained growth above zero |
| Old GC collection time | Stop-the-world pauses freeze thread execution | >5 seconds or increasing frequency |
| Indexing latency | User-visible write slowdown | >2x baseline |
| Search latency (query/fetch) | User-visible read slowdown | >5x baseline |
| Segment count per shard | Merge backlog creates I/O pressure | >100 segments per shard |
| Pending cluster tasks | Master-side saturation delaying allocation | >20 tasks or any task >30 seconds old |
Fixes
Throughput exceeds node capacity
Add data nodes or reduce ingest pressure. Reduce bulk batch sizes if the coordinating node is overwhelmed. Increasing thread pool queue size only delays rejection and increases memory pressure. Do not tune your way out of a capacity problem.
If adding nodes is not immediate, temporarily reduce replica count on non-critical indices to free resources. Warning: this lowers fault tolerance. Only use as a stopgap when rejections pose a greater risk than reduced redundancy.
Storage or merge backlog
Increase index.refresh_interval on heavy-write indices to reduce segment creation. For spinning disks, set index.merge.scheduler.max_thread_count to 1 to cut random I/O. On SSDs, leave the default unless merge throughput is demonstrably below disk capacity.
Force-merge read-only indices during low-traffic windows; the operation is I/O-intensive and blocks resources. Ensure disks are not approaching watermarks, as relocation traffic competes for I/O.
Expensive queries pinning search threads
Identify the query via the slow log or _tasks, then cancel it. Replace aggregations on text fields with keyword sub-fields. Reduce the shard count targeted by each query where possible.
GC pauses freezing execution
Investigate heap consumers. Check segments.memory, fielddata cache size, and cluster state size. See Elasticsearch heap pressure death spiral for the full cascade.
Management pool saturation
Pause rapid index creation or mapping updates. Review dynamic mapping to prevent cluster state bloat. Ensure dedicated master nodes have adequate heap. If pending tasks are stuck due to shard allocation, check disk watermarks and unassigned shards.
Prevention
- Alert on queue depth, not just rejections. Rejection counters are cumulative and reset only on node restart; queue depth is immediate.
- Sample thread pool stats every 5-10 seconds. A 60-second interval can miss a spike that drains quickly or misrepresent a brief burst as sustained.
- Keep CPU peak below 80%, disk below 70%, and monitor the post-GC heap floor.
- Review ILM policies so old indices do not accumulate shards indefinitely.
- Prevent mapping explosions by disabling dynamic mapping or setting
index.mapping.total_fields.limitconservatively; large cluster states slow down the management pool. - Monitor segment counts and schedule force-merge on rolled-over time-series indices.
How Netdata helps
Netdata collects per-node thread pool queue depth, active threads, and rejected counts every second. Queue growth is charted alongside JVM heap, GC pause duration, and CPU to distinguish a GC pause from a query storm. Alerts trigger on sustained deviation from baseline queue depth per pool, not transient spikes. OS-level disk I/O wait and page cache metrics are available alongside Elasticsearch metrics to identify merge or storage bottlenecks.
Related guides
- Elasticsearch all shards failed: diagnosing search_phase_execution_exception
- Elasticsearch CircuitBreakingException: [parent] Data too large - causes and fixes
- Elasticsearch cluster_block_exception: blocked by, the read-only blocks explained
- Elasticsearch cluster health red: unassigned primaries and how to recover
- Elasticsearch cluster health yellow: unassigned replicas vs real allocation blocks
- Elasticsearch cluster state too large: field count, index count, and per-node heap
- Elasticsearch disk full: emergency recovery and freeing space safely
- Elasticsearch disk watermark cascade: from low watermark to cluster-wide read-only
- Elasticsearch document indexing failures: index_failed, bulk item errors, and version conflicts
- Elasticsearch fielddata circuit breaker tripped: text-field aggregations and the keyword fix
- Elasticsearch FORBIDDEN/12/index read-only / allow delete (api) — flood stage recovery
- Elasticsearch heap pressure death spiral: GC, node removal, and the cascade