Network Transport Saturation
warningHigh network throughput or connection count on cluster transport layer indicates heavy inter-node communication that can saturate network bandwidth and cause coordination delays.
elasticsearch.transport.tx_size or elasticsearch.transport.rx_size showing very high sustained throughput (>500MB/s per node) with growing elasticsearch.transport.server_open connection count
Identify traffic patterns via _nodes/stats/transport. Common causes: (1) Cross-cluster search with large result sets - implement result size limits, (2) Excessive shard relocation - check cluster.routing.allocation.node_concurrent_recoveries, (3) Large bulk operations coordinated through single node - distribute client connections across all data nodes. Verify network infrastructure can handle throughput - upgrade network interfaces if needed. Use transport.compress:true for WAN connections (adds CPU overhead). Monitor elasticsearch.node.cluster.connections for connection churn. Consider network topology - ensure nodes are in same availability zone/region when possible. Check elasticsearch.transport.rx_count and tx_count rates for abnormal patterns.