Alerting is not working for unexisting _doc type

Hi everyone, i noticed that alerting is not working if i use a costum dynamic template.

After having created a query on a watcher i'm not able to create a trigger, here's the message from extraction query:

Failed to parse mapping [_doc]: Root mapping definition has unsupported parameters: [_doc : {dynamic_templates=[{message_text={path_match=message, mapping={type=text}}}, {cust_msg_text={path_match=cust_msg, mapping={type=text}}}, {payload_text={path_match=payload*, mapping={type=text}}}, {playload={path_match=playload*, mapping={type=text}}}, {timestamp_fix={path_match=timestamp, mapping={format=YYYY MMM dd HH:mm:ss:SSS||YYYY-MM-dd HH:mm:ss.SSZZ||YYYY-MM-dd'T'HH:mm:ss.SSSZZ||YYY-MM-dd'T'HH:mm:ss.SZZ||YYY-MM-dd'T'HH:mm:ss.SZ||YYYY-MM-dd'T'HH:mm:ss,SZZ||YYYY-MM-dd'T'HH:mm:ss.SSSz||YYYY-MM-dd'T'HH:mm:ss.Sz||YYYY-MM-dd'T'HH:mm:ss.SSz||YYYY-MM-dd'T'HH:mm:ss,SSSz||YYYY-MM-dd'T'HH:mm:ss,Sz||YYYY-MM-dd'T'HH:mm:ss,SSz||YYYY-MM-dd'T'HH:mm:ssz, type=date}}}]}]

As for my custum template:

{
    "index_patterns": [
      "*"
    ],
    "order": 0,
    "mappings": {
      "dynamic_templates": [
        {
          "message_text": {
            "path_match": "message",
            "mapping": {
              "type": "text"
            }
          }
        },
        {
          "cust_msg_text": {
            "path_match": "cust_msg",
            "mapping": {
              "type": "text"
            }
          }
        },
        {
          "payload_text": {
            "path_match": "payload*",
            "mapping": {
              "type": "text"
            }
          }
        },
        {
          "playload": {
            "path_match": "playload*",
            "mapping": {
              "type": "text"
            }
          }
        },
        {
          "timestamp_fix": {
            "path_match": "timestamp",
            "mapping": {
              "type": "date",
              "format": "YYYY MMM dd HH:mm:ss:SSS||YYYY-MM-dd HH:mm:ss.SSZZ||YYYY-MM-dd'T'HH:mm:ss.SSSZZ||YYY-MM-dd'T'HH:mm:ss.SZZ||YYY-MM-dd'T'HH:mm:ss.SZ||YYYY-MM-dd'T'HH:mm:ss,SZZ||YYYY-MM-dd'T'HH:mm:ss.SSSz||YYYY-MM-dd'T'HH:mm:ss.Sz||YYYY-MM-dd'T'HH:mm:ss.SSz||YYYY-MM-dd'T'HH:mm:ss,SSSz||YYYY-MM-dd'T'HH:mm:ss,Sz||YYYY-MM-dd'T'HH:mm:ss,SSz||YYYY-MM-dd'T'HH:mm:ssz"
            }
          }
        }
      ]
    }
  }

As you can see in mapping there is not _doc which is deprecated,
I think this might be a bug

Best regards

you wrote alerting in the subject, but monitoring in the body. Can you be more clear?

Also, can you share the template? Especially the patterns you are applying it to?

Thanks!

--Alex

1 Like

Hi!
Thank you for replying!!
i updated my issue and i shared my template!

do not use index_patterns: [*], this means that you index pattern will also be applied to the internal elastic indices used by security, alerting and monitoring. Always specify a proper index pattern with a prefix.

1 Like

Thank you for your quick reply, im trying to use a regexp for negative look behind to exclude index names starting with point, i tried this one: "^(?!\\.).*" but it doesn't work, do you have any hint?

this does not support the full complexity of regexes, just simple patterns, as performance is important here - backtracking would reduce that performance very likely significantly

1 Like

Thank you very very very much!
Everything works now!