Error After Upgrading Graylog 5.1.2 from 5.0.2 And Opensearch 2.4.1 to 2.8.0

1. Describe your incident:
After Upgrading to Graylog version 5.1.2 from 5.0.2 and Opensearch 2.8.0 from 2.4.1, the Graylog Dashboards threw errors like pictures below:

image1920×1080 203 KB

Unable to perform search query: OpenSearch exception [type=illegal_argument_exception, reason=Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [gl2_message_id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.].

But everything with mapping is not change before or after upgrade.

I’ve Already restart Opensearch + Graylog services multi times and re-create new index and rotate new one, but nothing changes! A full restarted but no helped!

My custom_index in Opensearch is:

{
  "index_patterns": ["graylog_*"],
  "priority": 0,
  "version": 1,
  "template": {
    "settings": {
      "index": {
        "analysis": {
          "analyzer": {
            "analyzer_keyword": {
              "filter": "lowercase",
              "tokenizer": "keyword"
            }
          }
        },
        "refresh_interval": "5s",
        "mapping": {
          "nested_fields": {
            "limit": "500"
          },
          "depth": {
            "limit": "200"
          },
          "total_fields": {
            "limit": "10000"
          },
          "nested_objects": {
            "limit": "100000"
          }
        }
      }
    },
    "mappings": {
      "_source": {
        "enabled": true
      },
      "dynamic_templates": [
        {
          "bytes_fields": {
            "mapping": { "type": "long", "ignore_malformed": true },
            "match_mapping_type": "string",
            "match": "*bytes*"
          }
        },
        {
          "packets_fields": {
            "mapping": { "type": "long", "ignore_malformed": true },
            "match_mapping_type": "string",
            "match": "*packets"
          }
        },
        {
          "store_generic": {
            "mapping": { "type": "keyword" },
            "match_mapping_type": "string"
          }
        }
      ],
      "properties": {
        "3_srcIP": { "type": "ip", "ignore_malformed": true },
        "4_srcPort": { "type": "long", "ignore_malformed": true },
        "5_dstIP": { "type": "ip", "ignore_malformed": true },
        "6_dstPort": { "type": "long", "ignore_malformed": true },
        "origin": { "type": "ip", "ignore_malformed": true },
        "SourceIp": { "type": "ip", "ignore_malformed": true },
        "DestinationIp": { "type": "ip", "ignore_malformed": true },
        "IPV4": { "type": "ip", "ignore_malformed": true },
        "IpAddress": { "type": "ip", "ignore_malformed": true },
        "IpPort": { "type": "long", "ignore_malformed": true },
        "originalClientSrcIP": { "type": "ip", "ignore_malformed": true },
        "first_pkt_second": { "type": "date" },
        "@timestamp": { "type": "date" },
        "timestamp": { "type": "date", "format": "uuuu-MM-dd HH:mm:ss.SSS" },
        "source": {
          "type": "text",
          "analyzer": "analyzer_keyword",
          "fielddata": true
        },
        "full_message": {
          "fielddata": true,
          "analyzer": "standard",
          "type": "text"
        },
        "2_protocol": {
          "type": "text",
          "analyzer": "analyzer_keyword",
          "fielddata": true
        },
        "message": {
          "fielddata": true,
          "analyzer": "standard",
          "type": "text"
        },
        "Message": {
          "fielddata": true,
          "analyzer": "standard",
          "type": "text"
        }
      }
    }
  }
}

2. Describe your environment:

• OS Information:
  Red hat 8.6
• Package Version:
  After upgraded: Graylog-Server Open 5.1.2; Opensearch 2.8.0
  Before upgraded: Graylog-Server Open 5.0.2; Opensearch 2.4.1
• Service logs, configurations, and environment variables:
  
  

  image1911×554 59.7 KB

Above image are of Deflecting index and field mapping!

3. What steps have you already taken to try and solve the problem?

I’ve re-indexing and change my custom templates to rotate and changes for new index or new template with purpose changes all fields to keyword but there is no helped.

I’ve using Navicat to read mongodb and find all index_field_type with all indices the id field and
gl2_message_id

it still keyword , there is no text at all .

I’m using GET

_cat/fielddata

and It response these logs:

{ [-](http://port.local:9000/#)
"error": "Unrecognized token 'CChI7QtnRkm8pc2F7sHjNw': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')\n at [Source: (String)\"CChI7QtnRkm8pc2F7sHjNw 10.10.254.103 10.10.254.103 searchlog resource 0b\nCChI7QtnRkm8pc2F7sHjNw 10.10.254.103 10.10.254.103 searchlog url 0b\nCChI7QtnRkm8pc2F7sHjNw 10.10.254.103 10.10.254.103 searchlog gl2_message_id 4.3mb\nCChI7QtnRkm8pc2F7sHjNw 10.10.254.103 10.10.254.103 searchlog streams 0b\nCChI7QtnRkm8pc2F7sHjNw 10.10.254.103 10.10.254.103 searchlog request 0b\nCChI7QtnRkm8pc2F7sHjNw 10.10.254.103 10.10.254.103 searchlog _id 784b\nCChI7Qtn\"[truncated 156 chars]; line: 1, column: 23]"
}

and GET

_cat/fielddata?v=true&fields=gl2_message_id

{ [-](http://port.local:9000/#)
"error": "Unrecognized token 'id': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')\n at [Source: (String)\"id host ip node field size\nCChI7QtnRkm8pc2F7sHjNw 10.10.254.103 10.10.254.103 searchlog gl2_message_id 4.3mb\n\"; line: 1, column: 3]"
}

4. How can the community help?
Has this been an issue for anybody else after upgrading to graylog 5.1.2 ?

I’ve checked by using multiple method of _cat opensearch index

_cat/shards

{ [-](http://port.local:9000/#)
"error": "Unrecognized token 'graylog_795': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')\n at [Source: (String)\"graylog_795 0 p STARTED 19990488 16.3gb 10.10.254.103 searchlog\ngraylog_747 0 p STARTED 24624760 17.2gb 10.10.254.103 searchlog\ngraylog_737 0 p STARTED 20032932 16.2gb 10.10.254.103 searchlog\ngraylog_783 0 p STARTED 20731495 15.8gb 10.10.254.103 searchlog\ngraylog_675 0 p STARTED 20568165 15.7gb 10.10.254.103 searchlog\ngraylog_78\"[truncated 20463 chars]; line: 1, column: 12]"
}

_cat/indices

{ - 
  "error": "Unrecognized token 'green': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')\n at [Source: (String)\"green open graylog_686 SoG2KVA0T_y-foz3K3HVxA 1 0 20739876 0 16.4gb 16.4gb\ngreen open graylog_687 G11HQ5lqRoCfQ7J4o7_PqA 1 0 20862601 0 15.9gb 15.9gb\ngreen open graylog_720 eh4QNk1aRliXXnO4WV26cQ 1 0 20729535 0 15.5gb 15.5gb\ngreen open graylog_684 Egj3YEsnRuaj5pjqprTKIw 1 0 22445216 0 15.1gb 15.1gb\ngreen open graylog_685 28B1yLnXQX\"[truncated 19447 chars]; line: 1, column: 6]"
}

_cat/health?v

{ - 
  "error": "Unrecognized token 'epoch': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')\n at [Source: (String)\"epoch timestamp cluster status node.total node.data discovered_cluster_manager shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent\n1687742154 01:15:54 graylog yellow 1 1 true 213 213 0 0 1 0 - 99.5%\n\"; line: 1, column: 6]"

}

Hey @minh8356

First, I also use cerebro for elasticsearch. its still working on ES 8.0

Have to tried to manually rotate you index set from the Web UI?

Using cURL do you get the same results?

Thanks for your response, I’ve used the retention strategy and limited it down to the newest latest 20 indices then, the error is gone, Everything now worked!. I think some template indices or some field types have errors from older versions=> when upgraded they failed.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.