Dynamic Mapping Watcher

Oh dear... well here we go. Tried with the example log watcher, and with creating the watch I get this:

{"error":"WatcherException[failed to put watch [log_error_watch]]; nested: TypeMissingException[[.watches] type[[watch, trying to auto create mapping, but dynamic mapping is disabled]] missing]; ","status":500}

I have other indexes on the cluster that are working fine.. and have been for 10+ months, so what have I missed here? Do I actually have to create a mapping for watcher? If so, what fields are returned as normal?

My curl call was:
curl -XPUT 'http://[myserver]:[myport]/_watcher/watch/log_error_watch' -d '{
"trigger" : {
"schedule" : { "interval" : "10s" }
},
"input" : {
"search" : {
"request" : {
"indices" : [ "logs" ],
"body" : {
"query" : {
"match" : { "message": "error" }
}
}
}
}
}
}'

Thanks in advance....

What index are you putting this against, because it looks like that dynamic mapping explicitly disabled.

Apologies... forgot the correct curl call.. its against the _watcher index:

curl -XPUT 'http://[my_server]:[my_port]/_watcher/watch/log_error_watch' -d '{
"trigger" : {
"schedule" : { "interval" : "10s" }
},
"input" : {
"search" : {
"request" : {
"indices" : [ "logs" ],
"body" : {
"query" : {
"match" : { "message": "error" }
}
}
}
}
}
}'

What would cause the dynamic mapping to be turned off? I haven't (knowingly) turned it off...as its really useful to have turned on.

Peter C

Hi Peter,

can you provide us the output for:

GET .watches/_mapping

Is there a chance you accidentally deleted the mappings for the .watches index?

Ooops....you just cant get the staff can you:
{
".watches" : {
"mappings" : { }
}
}

That doesn't look good does it? Is there an easy way to get them back?
Peter C

That doesn't look good does it?

no, it doesn't :).

yea.. seems like the mappings were deleted, do the following:

  1. stop the node
  2. add watcher.index.rest.direct_access: true to elasticsearc.yml
  3. start the node
  4. delete .watches index DELETE /.watches

now you should be able the put watches again. But before you do that, please revert the direct access setting:

  1. stop the node
  2. remove watcher.index.rest.direct_access: true from elasticsearch.yml
  3. start the node

The watcher.index.rest.direct_access enables/disables direct access to the .watches index via the rest API such that you won't be able to add/delete/update documents there. We don't have this protection (yet) against mapping deletion.... we'll consider adding it (or find another way to prevent this from happening)

pls let us know how it goes