Elasticsearch profiling, script error

Akaren · November 27, 2018, 1:03pm

Hi, I have ELK v 6.1 and I am doing profiling of my queries from charts - I just copy request that I can see from kibana. But I always get error:

{"error":{"root_cause":[{"type":"script_exception","reason":"compile error","script_stack":["if(doc[attrs.sip-code].value ==  ...","       ^---- HERE"],"script"

So profiling can't see doc values?

Here is my profile query

 curl -X GET "localhost:9200/logstash*/_search" -H 'Content-Type: application/json' -d'{"profile": true, 
 "size":"500","sort":[{"@timestamp":{"order":"desc","unmapped_type":"boolean"}}],"script_fields": 
 {"sip_name_translate":{"script":{"inline":"if(doc['attrs.sip-code'].value == 200) { return \"OK\" }  else 
 {return doc['type'].value}","lang":"painless"}},"docvalue_fields":["@timestamp","ts"],"query":{"bool":{"must":[{"query_string": 
 {"query":"type: call-start OR type: call-end OR type:call- 
 attempt"}},{"range":{"@timestamp": 
{"gte":1529428284890,"lte":1529540016737,"format":"epoch_millis"}}}],"filter":[],"should":[],"must_not": 
[]}}}'

rjernst · November 27, 2018, 4:31pm

Notice in the error the single quotes are removed from your field name:

doc[attrs.sip-code].value

Your single quotes are being eaten by curl.

Akaren · November 27, 2018, 10:51pm

AH, so how should I do it?

doc[\'attrs.sip-code\'].value

or

doc[\"attrs.sip-code\"].value

doesn't work

rjernst · November 27, 2018, 11:17pm

There are a number of ways to handle it. One way is to put your data in a file and reference via -d @myfile.json, another is to unicode escape the single quote by replacing with \u0027.

Akaren · November 28, 2018, 1:15pm

I have tried both options on simple example, here is the one with \u0027:

  curl -X GET "localhost:9200/logstash*/_search" -H 'Content-Type: application/json' -d' {"_source": 
 ["from"],"aggs":{"agg":{"sum":{"field":"duration","script": 
 {"source":"doc[\u0027duration\u0027].value/60"}}}}}'

But both options has the same error:

 {"error":{"root_cause":[{"type":"parsing_exception","reason":"[sum] failed to parse field 
 [script]","line":1,"col":85}],"type":"parsing_exception","reason":"[sum] failed to parse field 
 [script]","line":1,"col":85,"caused_by":{"type":"illegal_argument_exception","reason":"[script] unknown 
 field [source], parser not found"}},"status":400}[root@sbcmon ~]#

rjernst · November 28, 2018, 8:08pm

I don't think this new error has anything to do with single quotes. What version of elasticsearch are you running against? If you replace "source" with "inline" does it work?

Akaren · November 29, 2018, 8:01am

Yes! You are right, I have two different version of ELK running and testing.
Thank you for your help.

system · December 27, 2018, 8:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.