Just tried a dataframe analytics outlier job on our panw data, which immeditaly failed when trying to start:
An error occurred starting the data frame analytics dig_dfa_outlier_panw_user_001: {"statusCode":400,"error":"Bad Request","message":"[illegal_argument_exception] cannot apply boolean mapping to field [coredns.dnssec_ok]"}
coredns.dnssec_ok isn't even a field in these indices. It's inherited by the filebeat template..
Excluding it just throws an error on an other unused boolean field.
In v7.6.1, if, as you described, coredns.dnssec_ok isn't even a field in these indices, a different error should be thrown:
An error occurred starting the data frame analytics job:
[status_exception] Unable to start < dig_dfa_outlier_panw_user_001 > as no documents in the source indices < your source index> contained all the fields selected for analysis. ...
What I am going to suggest:
Double check all the indices which you are using as outlier job's source index, and see if any doc has value for coredns.dnssec_ok,
Then check if there are any mapping differences across all the indices for field coredns.dnssec_ok,
Better to avoid using an existing index as destination index,
If all the above still cant fix your problem, I might need more information fo troubleshooting, like your source indices mapping, job settings json, etc.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.