App Search: Analytics stopped working; no values shown

Dear Community,

I have installed Elastic Enterprise Search version 8.8. Here I used App Search and that with 30 engines and 5 meta engines. Everything was running fine, even the analytics were kept. Both queries and clicks were captured.

Now we have upgraded to 8.8.1 and Search still works fine, however the Analytics functions are all broken now. No new values are being recorded anymore. The old values can still be retrieved, but for example the last 7 days shows nothing. We don't get an error message either. Even if we put in fake click data via the Python application, it is accepted without error message but not displayed!

Do you guys have any ideas where to look to find the problem? The log files are all unremarkable. It may be useful to mention that the API logs still work. Every request is listed correctly here.

Many greetings

Hi @frederik1,

I'm sorry you're encountering this. How do you have Enterprise Search deployed? Are you using Elastic Cloud, or self-managed? And has anything changed recently in how you deploy it?

App Search's analytics come from a data stream that is populated by a side-car'd FileBeat instance that comes with Enterprise Search. When I've seen this kind of issue before, it's because the host Enterprise Search is running on has some changed filesystem permissions, and the user running Enterprise Search no longer has permission to write to the log file that FileBeat would read from.

If you're running self-manged Enterprise Search, check your enterprise-search*/log/filebeat* files to see if you can find any errors, and make sure that enterprise-search*/tmp/ent-search-filebeat.yml exists and has the right Elasticsearch configuration.

That was really helpful, Sean. I figured out, that the Filebeat was not able to push the data to the index due to a wrong format of the IP address:

\“type\“:\“document_parsing_exception\“,\“reason\“:\“[1:393] failed to parse field [related.ip] of type [ip] in document with id ‘8WZujIkBkKjv5knQlm4S’. Preview of field’s value: ‘[0:0:0:0:0:0:0:1]‘\“,\“caused_by\“:{\“type\“:\“illegal_argument_exception\“,\“reason\“:\“‘[0:0:0:0:0:0:0:1]’ is not an IP string literal.\“}}, dropping event!“,
  “”: “filebeat”,
  “ecs.version”: “1.6.0"

I connected to ES via SSH and with a port forwarding with localhost. On the server, localhost was defined as IPv4 and IPv6. When I force the SSH forwarding to use IPv4, everything works fine. So I guess, I will just go this way.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.