Busqueda con error en Discoverc

volivares · October 18, 2023, 4:42pm

Hola

Estoy queriendo realizar una búsqueda de una frase dentro de un conjunto de palabras en el "message" y me devuelve el siguiente error:

Response:

{
  "took": 1963,
  "timed_out": false,
  "_shards": {
    "total": 26,
    "successful": 25,
    "skipped": 25,
    "failed": 1,
    "failures": [
      {
        "shard": 0,
        "index": ".ds-log-openshift-8.0.0-2023.10.18-001746",
        "node": "HDA8BQG7SM61JputeQBHTw",
        "reason": {
          "type": "index_out_of_bounds_exception",
          "reason": "index_out_of_bounds_exception: Index 15565 out of bounds for length 15442"
        }
      }
    ]
  },
  "hits": {
    "max_score": null,
    "hits": []
  }
}

Priscilla_Parodi · October 18, 2023, 5:11pm

Hello @volivares, welcome to the community!

If you remove the message field from the query, does it work? Is this field in all of your documents?

Could you please share the query (text, not an image) and provide a sample document?

volivares · October 18, 2023, 7:37pm

hi

Share us the query KQL:


kubernetes.container_name:"unificacion" AND kubernetes.namespace_name:"unificacion-prod" and message:  "request starting"

example :

{
  "_index": ".ds-log-openshift-8.0.0-2023.10.18-001747",
  "_id": "2h1FRIsBI0D8kBIGZbvG",
  "_version": 1,
  "_score": 0,
  "_source": {
    "@timestamp": "2023-10-18T19:31:05.318Z",
    "input": {
      "type": "syslog"
    },
    "openshift": {
      "sequence": 66666160,
      "cluster_id": "97261e16-3ece-42ee-8206-9b12063ef32b"
    },
    "log": {
      "source": {
        "address": "10.250.8.72:49350"
      }
    },
    "message": "[16:31:05 INF] Request starting HTTP/1.1 GET http://x/api/V1/unificacion/resultsGoogleRouteApi?q=GAONA%20%202916&f=UriSearch application/json ",
    "ecs": {
      "version": "8.0.0"
    },
    "event": {
      "severity": 7
    },
    "hostname": "x",
    "host": {
      "name": "filebeat-3-4p4mf"
    },
    "process": {
      "name": "ocpprod",
      "entity_id": "-"
    },
    "agent": {
      "ephemeral_id": "87bdf49d-e1d1-44d4-a709-b21a0910c633",
      "id": "041f669d-325c-4ede-9e46-fd2308a6cbea",
      "name": "filebeat-3-4p4mf",
      "type": "filebeat",
      "version": "8.0.0"
    },
    "kubernetes": {
      "namespace_name": "unificacion-prod",
      "pod_ip": "10.250.8.209",
      "host": "x",
      "container_name": "unificacion",
      "pod_name": "unificacion-29-xspz4",
      "pod_id": "986d49ee-5bdb-409e-a78b-845996157245",
      "flat_labels": [
        "app=unificacion",
        "deployment=unificacion-29",
        "deploymentconfig=unificacion",
        "log=clusterlogging",
        "source=cicd"
      ]
    }
  },
  "fields": {
    "kubernetes.pod_ip": [
      "10.250.8.209"
    ],
    "process.name.text": [
      "ocpprod"
    ],
    "process.entity_id": [
      "-"
    ],
    "agent.type": [
      "filebeat"
    ],
    "hostname": [
      "x"
    ],
    "agent.name": [
      "filebeat-3-4p4mf"
    ],
    "host.name": [
      "filebeat-3-4p4mf"
    ],
    "kubernetes.host": [
      "x"
    ],
    "kubernetes.flat_labels": [
      "app=unificacion",
      "deployment=unificacion-29",
      "deploymentconfig=unificacion",
      "log=clusterlogging",
      "source=cicd"
    ],
    "event.severity": [
      7
    ],
    "kubernetes.container_name": [
      "unificacion"
    ],
    "input.type": [
      "syslog"
    ],
    "agent.hostname": [
      "filebeat-3-4p4mf"
    ],
    "message": [
      "[16:31:05 INF] Request starting HTTP/1.1 GET http://x/api/V1/unificacion/resultsGoogleRouteApi?q=GAONA%20%202916&f=UriSearch application/json "
    ],
    "kubernetes.namespace_name": [
      "unificacion-prod"
    ],
    "process.name": [
      "x"
    ],
    "@timestamp": [
      "2023-10-18T19:31:05.318Z"
    ],
    "agent.id": [
      "041f669d-325c-4ede-9e46-fd2308a6cbea"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "kubernetes.pod_id": [
      "986d49ee-5bdb-409e-a78b-845996157245"
    ],
    "openshift.sequence": [
      66666160
    ],
    "log.source.address": [
      "x"
    ],
    "openshift.cluster_id": [
      "97261e16-3ece-42ee-8206-9b12063ef32b"
    ],
    "agent.ephemeral_id": [
      "87bdf49d-e1d1-44d4-a709-b21a0910c633"
    ],
    "agent.version": [
      "8.0.0"
    ],
    "kubernetes.pod_name": [
      "unificacion-29-xspz4"
    ]
  }
}

Priscilla_Parodi · October 18, 2023, 8:34pm

Thanks for the info.

Apparently kubernetes.container_name and kubernetes.namespace_name are keywords and you are searching for the specific keyword and the message field is a text value and you want to search for a text that contains “request starting” as part of the message. Is that it?

Could you please try to do this with a wildcard query?

It will be:

kubernetes.container_name:"unificacion" AND kubernetes.namespace_name:"unificacion-prod" and message: *starting*

system · November 15, 2023, 8:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.