Error about message field

MickGraylog1 · March 10, 2023, 7:47pm

Hello

1. Describe your incident:
I do have some problem when I check the log from graylog-server, there’s the error I have :

2023-03-10T14:44:32.506-05:00 ERROR [PivotAggregationSearch] Aggregation search query returned an error: OpenSearch exception [type=illegal_argument_exception, reason=Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [message] in order to load field data by uninverting the inverted index. Note that this can use significant memory.].

2. Describe your environment:

OS Information:
Oracle Linux 7
Package Version:
Graylog 5.0.5 Entreprise
Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

I tried to update my field message with API for fielddata=true and still having the error.

4. How can the community help?

I do not know how to remediate this situation.

Thank you

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

joe.gross · March 10, 2023, 9:14pm

You can’t make dashboards out of the message or the full_message fields.

“Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead.”

You need to parse the messages and then make dashboards from those parsed fields.

MickGraylog1 · March 10, 2023, 9:39pm

Hello Chris,

Thank for you reply. Funny thing, I do not have any dashboard has been created in my environment.

MickGraylog1 · March 13, 2023, 1:55pm

I just passed recently Elasticsearch to Opensearch, maybe it caused the problem?

MickGraylog1 · March 20, 2023, 6:06pm

Still having the error, I tried to change into the API
“message”: {
“type”: “keyword”
},

Or I added fielddata=true and I still got the error message.

gsmith · March 20, 2023, 9:54pm

Hey @MickGraylog1

How about saved searchs?
Somewhere on your device there is a field that has a texted search. You could try rotating the index set manually see if that clears it up.

MickGraylog1 · March 21, 2023, 6:10pm

Thank you so much @gsmith . You saved me!

Have a great day

system · April 4, 2023, 6:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
PivotAggregationSearch Error Graylog Central (peer support)	7	1068	September 5, 2022
Upgrade from 5.0.12 to 5.1.6 causes error in WebUI message table Graylog Central (peer support)	3	318	November 8, 2023
Field data errors Graylog Central (peer support)	2	4645	February 5, 2018
Error After Upgrading Graylog 5.1.2 from 5.0.2 And Opensearch 2.4.1 to 2.8.0 Graylog Central (peer support) failoadcongfigfblx , access-specific-log- , dashboards , components	4	993	July 14, 2023
Java stack trace issue Graylog Central (peer support)	1	632	January 6, 2021

Error about message field

Related topics