Could not update field graph data errors

Graylog Central (peer support)
1

Hi. New to graylog. I’ve had this problem on both the VM and the Ubuntu package install. I am pretty sure this has been seen by others and there is a simple resolution, but I do not know what it is.

I am getting syslog messages in.
I can see the messages in the search field and they update.
But I am constantly getting the message
Updating field graph data failed: Error: cannot GET http://x.x.x.x:9000/api/search/universal/relative/fieldjistogram?query=*&range=300&interval=minute&field=message&cardinality=false (500)

Seems like the 500 at the end is a service unavailable httpstatus.

1 Like
2

I see this too, when I use a very long interval. I have a bit less than 10000 shards in ES, and looking at the last month works OK, but trying to use the whole data (about 8 months now) it fails like this.

You could try if you use a shorter time frame, if it starts to work. If so, this is probably some setting in ES (or ES node JVM size, or something completely different)

3

Do you have any error messages in the Elasticsearch log file?

4

In my case, the problem is this:

org.jboss.netty.handler.codec.frame.TooLongFrameException: An HTTP line is larger than 12288 by
tes.

I used
http.max_initial_line_length: 12kb
in the elasticsearch yml file in the ES nodes, after having this with the default 4kb.

I wonder what is the maximum number that is reasonable here.

5

Seems to mostly be this sort of thing:

[2017-08-09T06:55:50,378][DEBUG][o.e.a.s.TransportSearchAction] [H89-dk0] [graylog_0][1], node[H89-dk0aRPiPxFPkZGPHPw], [P], s[STARTED], a[id=ppZQdHoqQU6px12lDwgIew]: Failed to execute [SearchRequest{searchType=QUERY_THEN_FETCH, indices=[graylog_0], indicesOptions=IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true], types=[message], routing='null', preference='null', requestCache=null, scroll=null, source={
  "query" : {
    "query_string" : {
      "query" : "TCP_NC_MISS\\/404",
      "fields" : [ ],
      "use_dis_max" : true,
      "tie_breaker" : 0.0,
      "default_operator" : "or",
      "auto_generate_phrase_queries" : false,
      "max_determinized_states" : 10000,
      "allow_leading_wildcard" : false,
      "enable_position_increments" : true,
      "fuzziness" : "AUTO",
      "fuzzy_prefix_length" : 0,
      "fuzzy_max_expansions" : 50,
      "phrase_slop" : 0,
      "escape" : false,
      "split_on_whitespace" : true,
      "boost" : 1.0
    }
  },
  "aggregations" : {
    "gl2_filter" : {
      "filter" : {
        "bool" : {
          "must" : [
            {
              "range" : {
                "timestamp" : {
                  "from" : "2017-08-09 11:40:50.373",
                  "to" : "2017-08-09 11:55:50.373",
                  "include_lower" : true,
                  "include_upper" : true,
                  "boost" : 1.0
                }
              }
            }
          ],
          "disable_coord" : false,
          "adjust_pure_negative" : true,
          "boost" : 1.0
        }
      },
      "aggregations" : {
        "gl2_histogram" : {
          "date_histogram" : {
            "field" : "timestamp",
            "interval" : "1m",
            "offset" : 0,
            "order" : {
              "_key" : "asc"
            },
            "keyed" : false,
            "min_doc_count" : 0
          },
          "aggregations" : {
            "gl2_stats" : {
              "stats" : {
                "field" : "message"
              }
            }
          }
        }
      }
    }
  }
}}]
org.elasticsearch.transport.RemoteTransportException: [H89-dk0][127.0.0.1:9300][indices:data/read/search[phase/query]]
Caused by: java.lang.IllegalArgumentException: Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.