I have a pretty basic Logstash setup putting events into Elastic Search with an index per day. The data being added is already in JSON (Suricata EVE). I don't think it gets a whole lot more basic than this.
I just upgraded from 5.0 to 5.1 and then any query using an aggregation (I use term aggregations) do not return any results. If I delete todays index and restart logstash so the index gets recreated I can then again do aggregations.
Is this expected?
No, it isn't expected.
Do the aggregations just never return? Do you get shard errors? Is there anything in the logs? Do the mappings look particularly different for the different days?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.