Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Metricbeat Dashboard causes query exception in master/7.0 #5275

Closed
beniwohli opened this issue Sep 29, 2017 · 12 comments
Closed

Metricbeat Dashboard causes query exception in master/7.0 #5275

beniwohli opened this issue Sep 29, 2017 · 12 comments
Labels
blocker bug Metricbeat Metricbeat Stalled Team:Integrations Label for the Integrations team

Comments

@beniwohli
Copy link
Contributor

With Elasticsearch/Kibana on master, when running metricbeat with the system module active, opening the Host Overview dashboard leads to an error

"reason":"field expansion matches too many fields, limit: 1024, got: 1030"

The full error, as well as the metricbeat configuration I used can be found here: https://gist.github.com/beniwohli/bb1bfe63ed02480d08025a444d157376
@ruflin
Copy link
Contributor

ruflin commented Oct 2, 2017

@simianhacker I assume these are the same issues? #5278

@simianhacker
Copy link
Member

@ruflin I don't think so... I get that error when searching in Discover as well.

@simianhacker
Copy link
Member

@elastic/beats This is related to elastic/elasticsearch#26541 which is going to be a problem for Metricbeat.

@Bargs
Copy link

Bargs commented Oct 30, 2017

I just caught up on some discussion of this in Slack from last week. I just wanted to note that this will still affect users when they switch to kuery since the limit also applies to multi_match queries, which kuery uses under the hood.

@simianhacker
Copy link
Member

So the fix we decided on last week is to force the admin to add a list of 1024 fields to the index setting index.query.default_field. Since we are administering the metrcibeat-* indices we will be responsible for changing our index template to include index.query.default_field.

@Bargs
Copy link

Bargs commented Oct 30, 2017

That won't work for kuery since multi_match doesn't use default_field. But if I understood the conversation, what you described is meant to be a simple fix for the short term, so that's probably fine.

@simianhacker
Copy link
Member

@Bargs Yeah... that's going to be a problem for multi_match. What do you guys put in the fields array now just *? It would suck to ask the user to fill that in for each index pattern that has more the 1024 searchable fields.

@Bargs Bargs mentioned this issue Oct 30, 2017
Merged
@Bargs
Copy link

Bargs commented Oct 30, 2017

Yep, just *. I asked if the ES guys have any advice in the other issue.

@rashmivkulkarni
Copy link

We hit the same issue as above while running the integration tests on master .

org.elasticsearch.transport.RemoteTransportException: [cQvsA1-][10.0.2.15:9300][indices:data/read/search[phase/query]]
Caused by: org.elasticsearch.index.query.QueryShardException: failed to create query: {
  "bool" : {
    "must" : [
      {
        "query_string" : {
          "query" : "*",
          "default_field" : "*",
          "fields" : [ ],
          "type" : "best_fields",
          "default_operator" : "or",
          "max_determinized_states" : 10000,
          "enable_position_increments" : true,
          "fuzziness" : "AUTO",
          "fuzzy_prefix_length" : 0,
          "fuzzy_max_expansions" : 50,
          "phrase_slop" : 0,
          "analyze_wildcard" : true,
          "escape" : false,
          "auto_generate_synonyms_phrase_query" : true,
          "fuzzy_transpositions" : true,
          "boost" : 1.0
        }
      },
      {
        "query_string" : {
          "query" : "*",
          "default_field" : "*",
          "fields" : [ ],
          "type" : "best_fields",
          "default_operator" : "or",
          "max_determinized_states" : 10000,
          "enable_position_increments" : true,
          "fuzziness" : "AUTO",
          "fuzzy_prefix_length" : 0,
          "fuzzy_max_expansions" : 50,
          "phrase_slop" : 0,
          "analyze_wildcard" : true,
          "escape" : false,
          "auto_generate_synonyms_phrase_query" : true,
          "fuzzy_transpositions" : true,
          "boost" : 1.0
        }
      },

can we be notified when this is fixed?
cc / @LeeDr

@tsg tsg mentioned this issue Jan 5, 2018
Closed
@bhavyarm
Copy link

bhavyarm commented Jan 8, 2018

@elastic/beats I logged this on Kibana and then found out from the viz team that this is an old bug. elastic/kibana#15863 Just making a note here.

@bhavyarm bhavyarm mentioned this issue Jan 8, 2018
Closed
@Bargs Bargs mentioned this issue Feb 8, 2018
Closed
@ruflin
Copy link
Contributor

ruflin commented Feb 27, 2018

Tracking issue on the kibana side: elastic/kibana#16232

@ruflin ruflin mentioned this issue May 4, 2018
Merged
ruflin added a commit to ruflin/beats that referenced this issue May 22, 2018
@ruflin
Fix default_field for metricbeat
44e0693 
In Elasticsearch 7.0 there is a limit of 1024 fields (see elastic#5275). As Metricbeat exceeds the limit of 1024 fields per index it has to be defined which the default fields are as otherwise Elasticsearch returns an error.

This change set the index config option `index.query.default_field`. To fields chosen to be searchable are all string and keyword values as these are the ones that I would expect users to put directly in the search without specifying a field. For all numbers I expect that the exact field is specified.

This PR also removes all presets from dashboards which did set default_fields as they were `*`. In Kibana the default `*` was removed also in master: elastic/kibana#16232
exekias pushed a commit that referenced this issue May 22, 2018
@ruflin @exekias
Fix default_field for metricbeat (#7015)
539c07e 
In Elasticsearch 7.0 there is a limit of 1024 fields (see #5275). As Metricbeat exceeds the limit of 1024 fields per index it has to be defined which the default fields are as otherwise Elasticsearch returns an error.

This change set the index config option `index.query.default_field`. To fields chosen to be searchable are all string and keyword values as these are the ones that I would expect users to put directly in the search without specifying a field. For all numbers I expect that the exact field is specified.

This PR also removes all presets from dashboards which did set default_fields as they were `*`. In Kibana the default `*` was removed also in master: elastic/kibana#16232
@ycombinator ycombinator added Team:Beats Team:Integrations Label for the Integrations team and removed Team:Beats Team:Integrations Label for the Integrations team labels Jan 3, 2020
@ycombinator ycombinator added the Team:Integrations Label for the Integrations team label Jan 3, 2020
@botelastic
Copy link

botelastic bot commented Dec 3, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the Stalled label Dec 3, 2020
@botelastic botelastic bot closed this as completed Jan 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocker bug Metricbeat Metricbeat Stalled Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@simianhacker @ycombinator @beniwohli @ruflin @Bargs @bhavyarm @rashmivkulkarni