search

StamusNetworks / KTS6

Kibana 6 Templates for Suricata IDPS Threat Hunting
GNU General Public License v3.0
25 stars 6 forks source link

Error with Painless scripted field 'doc['flow_id'].value'. #11

Closed alphaDev23 closed 5 years ago

alphaDev23 commented 5 years ago

No so painless! Using ELK stack 6.6.2. It appears that there is no field found for [flow_id]. How do I fix this?

Error with Painless scripted field 'doc['flow_id'].value'. You can address this error by editing the 'doc['flow_id'].value' field in Management > Index Patterns, under the “Scripted fields” tab.

Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:81)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:39)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless"},{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:81)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:39)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"fetch","grouped":true,"failed_shards":[{"shard":0,"index":"logstash-2019.06.17","node":"K0F17p4EQhWowyI734jOow","reason":{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:81)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:39)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless","caused_by":{"type":"illegal_argument_exception","reason":"No field found for [flow_id] in mapping with types []"}}},{"shard":0,"index":"logstash-web","node":"BnnohOHRT6aYovWy1SHIFg","reason":{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:81)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:39)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless","caused_by":{"type":"illegal_argument_exception","reason":"No field found for [flow_id] in mapping with types []"}}}]},"status":500}

pevma commented 5 years ago

Can you try upgrading to the latest SELKS please - via - https://github.com/StamusNetworks/SELKS/wiki/SELKS-upgrades I think the latets ELK stack available should be 6.7.x ?

alphaDev23 commented 5 years ago

Is SELKS now required? I currently run ELK services in a docker swarm cluster for HA. Running a separate distro is not really an option for a number of reasons. As a note, the templates worked on ELK services 6.4.x.

pevma commented 5 years ago

Hi,

No SELKS is not required - for some reason I thought you were running it. From the error it seems it can not find the field / there is none. On which dashboard you get that err? How do you reproduce it?

Thank you

-- Regards, Peter Manev

On 19 Jun 2019, at 05:04, alphaDev23 notifications@github.com wrote:

Is SELKS now required? I currently run ELK services in a docker swarm cluster for HA. Running a separate distro is not really an option for a number of reasons. As a note, the templates worked on ELK services 6.4.x.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

alphaDev23 commented 5 years ago

The error is on the Discover tab.

pevma commented 5 years ago

Thanks for the follow up - Only on Discover tab and not on the dashboards ?

alphaDev23 commented 5 years ago

After upgrading to 6.6 and other changes, I'm unable to reproduce this issue.