Anomaly detection - Elastic Jobs failing to start

When I attempt to create an ML job using one of the pre-defined jobs for instance "windows_rare_user_type10_remote_login", I receive the below error:

[status_exception] [datafeed-windows_rare_user_type10_remote_login] cannot retrieve field [@timestamp] because it has no mappings

I am using the default winlogbeat index template which shows the mapping for @timestamp is set correctly.

      "@timestamp": {
        "type": "date"
      },

Any ideas?

There's a mapping clash in there somewhere...check the following:

Get the name of the index pattern the datafeed is configured to use:

GET _ml/datafeeds/datafeed-windows_rare_user_type10_remote_login

You're looking for what is defined in the indices section, for example:

      "indices" : [
        "myindexname-*"
      ],

Then, determine the mappings for that exact name index pattern (including the wildcards, if any):

GET myindexname-*/_mapping

Post the results here so we can see

Hey Rich,

Thanks for pointing me in the right direction. The mapping I use was different from the default specified in the datafeed.

After updating using the below API call, I was successfully able to start the job.

POST _ml/datafeeds/datafeed-windows_rare_user_type10_remote_login/_update
{
"indices": ["<new-index-name>"]
}

Cheers,

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.