When I attempt to create an ML job using one of the pre-defined jobs for instance "windows_rare_user_type10_remote_login", I receive the below error:
[status_exception] [datafeed-windows_rare_user_type10_remote_login] cannot retrieve field [@timestamp] because it has no mappings
I am using the default winlogbeat index template which shows the mapping for @timestamp is set correctly.
"@timestamp": {
"type": "date"
},
Any ideas?
There's a mapping clash in there somewhere...check the following:
Get the name of the index pattern the datafeed is configured to use:
GET _ml/datafeeds/datafeed-windows_rare_user_type10_remote_login
You're looking for what is defined in the indices section, for example:
"indices" : [
"myindexname-*"
],
Then, determine the mappings for that exact name index pattern (including the wildcards, if any):
GET myindexname-*/_mapping
Post the results here so we can see
Hey Rich,
Thanks for pointing me in the right direction. The mapping I use was different from the default specified in the datafeed.
After updating using the below API call, I was successfully able to start the job.
POST _ml/datafeeds/datafeed-windows_rare_user_type10_remote_login/_update
{
"indices": ["<new-index-name>"]
}
Cheers,
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.