Dataframe Analytics Job Failed to apply boolean mapping

willemdh · May 13, 2020, 7:53am

Hello,

Just tried a dataframe analytics outlier job on our panw data, which immeditaly failed when trying to start:

An error occurred starting the data frame analytics dig_dfa_outlier_panw_user_001: {"statusCode":400,"error":"Bad Request","message":"[illegal_argument_exception] cannot apply boolean mapping to field [coredns.dnssec_ok]"}

coredns.dnssec_ok isn't even a field in these indices. It's inherited by the filebeat template..

Excluding it just throws an error on an other unused boolean field.

Grtz

Willem

wei.wang · May 14, 2020, 3:52am

Hi Willem,

First, could you tell which stack version you are using?

willemdh · May 14, 2020, 6:19am

Hey Wei, Current version is 7.6.1. Grtz

wei.wang · May 15, 2020, 3:48am

Hi Willem,

In v7.6.1, if, as you described, coredns.dnssec_ok isn't even a field in these indices, a different error should be thrown:

An error occurred starting the data frame analytics job:

[status_exception] Unable to start < dig_dfa_outlier_panw_user_001 > as no documents in the source indices < your source index> contained all the fields selected for analysis. ...

What I am going to suggest:

Double check all the indices which you are using as outlier job's source index, and see if any doc has value for coredns.dnssec_ok,
Then check if there are any mapping differences across all the indices for field coredns.dnssec_ok,
Better to avoid using an existing index as destination index,
Instead of excluding fields, you can choose which fields to be included, here it is the example : Create data frame analytics jobs API | Elasticsearch Guide [master] | Elastic

If all the above still cant fix your problem, I might need more information fo troubleshooting, like your source indices mapping, job settings json, etc.

Regards.

system · June 12, 2020, 3:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.