I’m installing from el7 RPM using the supplied GL guidance. As soon as I add an rsyslog input (local only for now) the message quick values have the following ES error:
org.elasticsearch.transport.RemoteTransportException: [I1g5KBu][127.0.0.1:9300][indices:data/read/search[phase/query]]
Caused by: java.lang.IllegalArgumentException: Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
The same goes for adding only an input from the audit system. I have purged the ES data several times. I have installed slightly older versions of both ES and GL. Always with the same result.
My older el6 Graylog 2.2.3 server has no such issues with the same kinds of data.
I also tried Graylog 2.3.1 with Elastic 5.6.4 (I think) to see if a slightly older version would work.
As the Subject says it’s the “message” quick values that produce the error. The “source” quick values work. In fact they all seem to work but “message”. Generate Chart and Statistics also fails for "message. with 500 errors.
The ‘problem’ here is that Elasticsearch does not allow that kind of operation since version 5 on that kind of field type. In addition in Graylog 2.4 that is disabled and the option is removed from specific fields.
