Error in event definition

When trying to edit an event in Alerts -> Event definitions -> :Edit -> Filter & Aggregation, having selected “Filter & Aggregation” as “Condition Type”, the status says “Loading Filter & Aggregation Information” with spinning dots, but nothing else ever happens.

The server log has this suspicious message:
2019-12-19T08:29:02.740+01:00 ERROR [EventProcessorExecutionJob] Event processor <aggregation-v1/5dfa280936b27e05f7f317d4> failed to execute: Search type returned error:

Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead. (retry in 5000 ms)
org.graylog.events.processor.EventProcessorException: Search type returned error:

Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
at org.graylog.events.processor.aggregation.PivotAggregationSearch.doSearch(PivotAggregationSearch.java:132) ~[graylog.jar:?]
at org.graylog.events.processor.aggregation.AggregationEventProcessor.aggregatedSearch(AggregationEventProcessor.java:199) ~[graylog.jar:?]
at org.graylog.events.processor.aggregation.AggregationEventProcessor.createEvents(AggregationEventProcessor.java:113) ~[graylog.jar:?]
at org.graylog.events.processor.EventProcessorEngine.execute(EventProcessorEngine.java:92) ~[graylog.jar:?]
at org.graylog.events.processor.EventProcessorExecutionJob.execute(EventProcessorExecutionJob.java:111) ~[graylog.jar:?]
at org.graylog.scheduler.JobExecutionEngine.executeJob(JobExecutionEngine.java:166) ~[graylog.jar:?]
at org.graylog.scheduler.JobExecutionEngine.lambda$handleTrigger$2(JobExecutionEngine.java:144) ~[graylog.jar:?]
at com.codahale.metrics.Timer.time(Timer.java:137) ~[graylog.jar:?]
at org.graylog.scheduler.JobExecutionEngine.handleTrigger(JobExecutionEngine.java:144) ~[graylog.jar:?]
at org.graylog.scheduler.JobExecutionEngine.lambda$execute$0(JobExecutionEngine.java:119) ~[graylog.jar:?]
at org.graylog.scheduler.worker.JobWorkerPool.lambda$execute$0(JobWorkerPool.java:110) ~[graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_232]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_232]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_232]

What is the problem and how can I fix it?

@tobiasreckhard

you might want to rethink how you work with your data.

The message field is full text searchable, what makes using it in the event processing complexe and not easy to handle.

Depending on what you want to be alerted on you should process and normalize your messages before using the events.

So you’re saying I shouldn’t query the message field in the event? The thing is, I just want to know if there are any messages of a certain kind, and I’m just count()'ing them, not searching for anything in them. Interestingly enough, I had managed to define the event in question, but I couldn’t edit it anymore, because of the error described above. The only recourse I could find was to delete the event and define a new one. I’d advise you to provide that area with better error handling.

thank you for your advise @tobiasreckhard

you might want to create a feature request over at github.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.