illegal_argument_exception error in Kibana
863 views
Skip to first unread message
methmu...@gmail.com
Mar 24, 2021, 10:37:26 AM3/24/21
to Wazuh mailing list
Hi all,
I guess this might be a noob problem but I'm still not sure how to solve it.
A couple weeks after update to 4.1 we get the following error in kibana:
Error:
2 of 1227 shards failed
The data you are seeing might be incomplete or wrong.
Detail:
"failures": [
{
"shard": 0,
"index": "wazuh-alerts-3.x-2021.03.23",
"node": "",
"reason": {
"type": "illegal_argument_exception",
"reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.technique] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
}
The wazuh-template is 4.0 and I have checked for the indices
[user@host:/etc/filebeat] # curl -X GET "https://localhost:9200/_template/wazuh/?pretty" -H 'Content-Type: application/json'
{
"wazuh" : {
"order" : 0,
"version" : 1,
"index_patterns" : [
"wazuh-alerts-4.x-*",
"wazuh-archives-4.x-*"
..........
This behavior did not occur right after the upgrade vom 3.x to 4.x.
Can you tell me what went wrong and why index pattern 3.x is loaded along 4.x which is set to default?
Thanks a lot in advance. :)
Miguel Angel Cazajous
Mar 25, 2021, 9:22:18 AM3/25/21
to Wazuh mailing list
Hello, I will be taking a look into this and I'll contact you as soon as possible. Thank you for your patience.
Miguel Angel Cazajous
Mar 25, 2021, 10:47:23 AM3/25/21
to Wazuh mailing list
I will share you this document.
https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/index.html
There details how you should perform an upgrade. From there you can pick the installation type you used, but the case is similar.
You need to delete the old indexes since from version 4.0 the name has changed.
Take a look to the step 12 in that documentation.
For example for Open distro: https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-open-distro.html#upgrading-kibana
Let me know if that was helpful. Regards!
https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/index.html
There details how you should perform an upgrade. From there you can pick the installation type you used, but the case is similar.
You need to delete the old indexes since from version 4.0 the name has changed.
Take a look to the step 12 in that documentation.
For example for Open distro: https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-open-distro.html#upgrading-kibana
Let me know if that was helpful. Regards!
Reply all
Reply to author
Forward
0 new messages