Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1,. Although my Graylog-Server version 4.2.9 is working mostly fine, I keep getting errors in the server.log.
Service logs:
2022-06-05T11:02:53.939+02:00 ERROR [PivotAggregationSearch] Aggregation search query returned an error: Elasticsearch exception [type=illegal_argument_exception, reason=Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [message] in order to load field data by uninverting the inverted index. Note that this can use significant memory.].
So far I have disabled my streams to stop triggering these messages. However, I have not managed to stop these error messages. Or perhaps I fail to understand the problem in full. I checked to see if Elastic Search and Mongo are healthy. And I see they have no ERRORS.
Has anyone encountered this particular issue with this particular Graylog version? How can I suppress the messages?
Sum it up elasticsearch seams like its bitchin that there is a text field that need to be set as a keyword field, this is a elasticsearch thing.
This can happen if:
You have a pipeline or an extractor not configured correctly.
Messages going to wrong input.
Widget configuration
If you not receiving any messages and it is still logging Error, I would look into the Index template to find out where this is happening. try rotating your index. You also might want to check you Widgets, Dashboards or any saved search’s out. Looking for a field that might contain a text field.
I have examined my dashboards too and my widgets seem to behave fine. Actually the issue seems to have started from before I even created the widgets.
I do not use extractors nor pipelines at the moment.
Is there a means to backup the Dashboards before I remove them for debug purposes?
To be honest, since we now know its from FileBeat INPUT look for a widget that shows data from that INPUT. That would be my first troubleshooting idea. Next, If this is a VM ( virtual machine) see if you can make a check point first. This way if something goes wrong you can just roll it back.
I am now looking into this. I looked at the dashboard area for the widgets. The dashboard has 3 entries:
Sources (came with installation of Graylog 4.2.x)
My own,
My own.
I do not see a widget like you show in the screenshot. I do have streams with aggregation rules if I recall.
By the way my own dashboards also feature widgets that show data from filebeat input. Do you mean I need to look at my own dashboards for this issue? I just need to confirm so that I am sure I understand you.
From what I understand, there maybe a problem with the Search query from the widget/Aggregation.
Aggregation search query returned an error: Elasticsearch exception [type=illegal_argument_exception, reason=Text fields are not optimised for operations that require per-document field data like aggregations and sorting,
