No mapping found for [EventID] in order to sort on

Hello,

I’m wondering if anyone can advice in problem described below…

I receive following error on brand new Graylog 3.1.1:

No mapping found for [EventID] in order to sort on

Steps to reproduce:

1. Brand new Ubuntu 18.04.3 LTS

root@graylogtest:/# cat /etc/issue
Ubuntu 18.04.3 LTS \n \l

2. Graylog server installed according to installation manual
   http://docs.graylog.org/en/3.1/pages/installation/os/ubuntu.html
3. I added GELF TCP input.
4. I sent data to Graylog via GELF TCP.
5. I navigated to “Search”, and tried to sort by field that was sent via GELF TCP input. I received following error:

No mapping found for [EventID] in order to sort on

Screenshot_6675×679 102 KB

6. Next I navigated to: “Streams”-> “All Messages” and I tried to sort by the same field (EventID), no issues then.

Elastic search version:
root@graylogtest:/# curl -XGET 'localhost:9200'

{
“name” : “ElwSQ1b”,
“cluster_name” : “graylog”,
“cluster_uuid” : “17BD0BciSku_e3r8lgHVcQ”,
“version” : {
“number” : “6.8.2”,
“build_flavor” : “oss”,
“build_type” : “deb”,
“build_hash” : “b506955”,
“build_date” : “2019-07-24T15:24:41.545295Z”,
“build_snapshot” : false,
“lucene_version” : “7.7.0”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}

Error in /var/log/elasticsearch/graylog.log:

[2019-09-04T08:57:48,589][DEBUG][o.e.a.s.TransportSearchAction] [ElwSQ1b] [gl-system-events_0][0], node[ElwSQ1b4SeGtFyFq1Fm4-g], [P], s[STARTED], a[id=kAf9aWvwTRGyB33KKrv6Ww]: Failed to execute [SearchRequest{searchType=QUERY_THEN_FETCH, indices=[gl-events_0, graylog_0, gl-system-events_0], indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=true, ignore_aliases=false, ignore_throttled=true], types=[message], routing=‘null’, preference=‘null’, requestCache=null, scroll=null, maxConcurrentShardRequests=5, batchedReduceSize=512, preFilterShardSize=64, allowPartialSearchResults=true, localClusterAlias=null, getOrCreateAbsoluteStartMillis=-1, source={“from”:0,“size”:150,“query”:{“bool”:{“must”:[{“match_all”:{“boost”:1.0}}],“filter”:[{“bool”:{“must”:[{“range”:{“timestamp”:{“from”:“2019-09-04 08:42:48.538”,“to”:“2019-09-04 08:57:48.538”,“include_lower”:true,“include_upper”:true,“boost”:1.0}}}],“adjust_pure_negative”:true,“boost”:1.0}}],“adjust_pure_negative”:true,“boost”:1.0}},“sort”:[{“EventID”:{“order”:“desc”}}]}}] lastShard [true]
org.elasticsearch.transport.RemoteTransportException: [ElwSQ1b][127.0.0.1:9300][indices:data/read/search[phase/query]]
Caused by: org.elasticsearch.index.query.QueryShardException: No mapping found for [EventID] in order to sort on
at org.elasticsearch.search.sort.FieldSortBuilder.build(FieldSortBuilder.java:321) ~[elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.search.sort.SortBuilder.buildSort(SortBuilder.java:153) ~[elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:808) ~[elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.search.SearchService.createContext(SearchService.java:637) ~[elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:596) ~[elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:387) ~[elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.search.SearchService.access$100(SearchService.java:126) ~[elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:359) [elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:355) [elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.search.SearchService$4.doRun(SearchService.java:1107) [elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:41) [elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:751) [elasticsearch-6.8.2.jar:6.8.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.8.2.jar:6.8.2]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]

in the above example I see that you have 3 indices - does the field EventID have the same type (number?) on all 3 indices and is it present on all 3 indices?

Thanks @jan,

Yes I have 3 indices:

Screenshot_7.jpg1274×513 94.5 KB

All of these 3 indices are installed automatically by Graylog. EventId field is populated from GELF input. (no custom extractors added).

EventID field is not present in gl-events nor gl-system-events.

Thanks,
Pawel

Output of curl -X GET 'http://localhost:9200/_all/_mapping?pretty':

{
  "graylog_0" : {
    "mappings" : {
      "message" : {
        "dynamic_templates" : [
          {
            "internal_fields" : {
              "match" : "gl2_*",
              "match_mapping_type" : "string",
              "mapping" : {
                "type" : "keyword"
              }
            }
          },
          {
            "store_generic" : {
              "match_mapping_type" : "string",
              "mapping" : {
                "type" : "keyword"
              }
            }
          }
        ],
        "properties" : {
          "EventID" : {
            "type" : "long"
          },
          "SeverityValue" : {
            "type" : "long"
          },
          "SourceModuleName" : {
            "type" : "keyword"
          },
          "SourceModuleType" : {
            "type" : "keyword"
          },
          "SourceName" : {
            "type" : "keyword"
          },
          "SourceType" : {
            "type" : "keyword"
          },
          "Status" : {
            "type" : "keyword"
          },
          "SubStatus" : {
            "type" : "keyword"
          },
          "SubjectLogonId" : {
            "type" : "keyword"
          },
          "SubjectUserName" : {
            "type" : "keyword"
          },
          "SubjectUserSid" : {
            "type" : "keyword"
          },
          "TransmittedServices" : {
            "type" : "keyword"
          },
          "Version" : {
            "type" : "long"
          },
          "full_message" : {
            "type" : "text",
            "analyzer" : "standard"
          },
          "gl2_message_id" : {
            "type" : "keyword"
          },
          "gl2_processing_timestamp" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "gl2_receive_timestamp" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "gl2_remote_ip" : {
            "type" : "keyword"
          },
          "gl2_remote_port" : {
            "type" : "long"
          },
          "gl2_source_input" : {
            "type" : "keyword"
          },
          "gl2_source_node" : {
            "type" : "keyword"
          },
          "level" : {
            "type" : "long"
          },
          "message" : {
            "type" : "text",
            "analyzer" : "standard"
          },
          "source" : {
            "type" : "text",
            "analyzer" : "analyzer_keyword",
            "fielddata" : true
          },
          "streams" : {
            "type" : "keyword"
          },
          "timestamp" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          }
        }
      }
    }
  },
  "gl-system-events_0" : {
    "mappings" : {
      "message" : {
        "dynamic" : "false",
        "dynamic_templates" : [
          {
            "fields" : {
              "path_match" : "fields.*",
              "mapping" : {
                "doc_values" : true,
                "index" : true,
                "type" : "keyword"
              }
            }
          }
        ],
        "properties" : {
          "alert" : {
            "type" : "boolean"
          },
          "event_definition_id" : {
            "type" : "keyword"
          },
          "event_definition_type" : {
            "type" : "keyword"
          },
          "fields" : {
            "type" : "object",
            "dynamic" : "true"
          },
          "id" : {
            "type" : "keyword"
          },
          "key" : {
            "type" : "keyword"
          },
          "key_tuple" : {
            "type" : "keyword"
          },
          "message" : {
            "type" : "text",
            "norms" : false,
            "fields" : {
              "keyword" : {
                "type" : "keyword"
              }
            },
            "analyzer" : "standard"
          },
          "origin_context" : {
            "type" : "keyword"
          },
          "priority" : {
            "type" : "long"
          },
          "source" : {
            "type" : "keyword"
          },
          "source_streams" : {
            "type" : "keyword"
          },
          "streams" : {
            "type" : "keyword"
          },
          "timerange_end" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "timerange_start" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "timestamp" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "timestamp_processing" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "triggered_jobs" : {
            "type" : "keyword"
          }
        }
      }
    }
  },
  "gl-events_0" : {
    "mappings" : {
      "message" : {
        "dynamic" : "false",
        "dynamic_templates" : [
          {
            "fields" : {
              "path_match" : "fields.*",
              "mapping" : {
                "doc_values" : true,
                "index" : true,
                "type" : "keyword"
              }
            }
          }
        ],
        "properties" : {
          "alert" : {
            "type" : "boolean"
          },
          "event_definition_id" : {
            "type" : "keyword"
          },
          "event_definition_type" : {
            "type" : "keyword"
          },
          "fields" : {
            "type" : "object",
            "dynamic" : "true"
          },
          "id" : {
            "type" : "keyword"
          },
          "key" : {
            "type" : "keyword"
          },
          "key_tuple" : {
            "type" : "keyword"
          },
          "message" : {
            "type" : "text",
            "norms" : false,
            "fields" : {
              "keyword" : {
                "type" : "keyword"
              }
            },
            "analyzer" : "standard"
          },
          "origin_context" : {
            "type" : "keyword"
          },
          "priority" : {
            "type" : "long"
          },
          "source" : {
            "type" : "keyword"
          },
          "source_streams" : {
            "type" : "keyword"
          },
          "streams" : {
            "type" : "keyword"
          },
          "timerange_end" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "timerange_start" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "timestamp" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "timestamp_processing" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "triggered_jobs" : {
            "type" : "keyword"
          }
        }
      }
    }
  }
}

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.