Error since 7.4 upgrade - field expansion matches too many fields

Elastic Stack Elasticsearch
1

Hi,

Whenever i view any of my dashboards i get the below... How can i debug this?

{
"took": 48,
"timed_out": false,
"_shards": {
"total": 188,
"successful": 187,
"skipped": 172,
"failed": 1,
"failures": [
{
"shard": 0,
"index": "winlogbeat-7.4.0-2019.10.17-000001",
"node": "E6igdheIRFKMNeTpM2tbLA",
"reason": {
"type": "query_shard_exception",
"reason": "failed to create query: {\n "bool" : {\n "must" : [\n {\n "query_string" : {\n "query" : "",\n "default_field" : "",\n "fields" : ,\n "type" : "best_fields",\n "default_operator" : "or",\n "max_determinized_states" : 10000,\n "enable_position_increments" : true,\n "fuzziness" : "AUTO",\n "fuzzy_prefix_length" : 0,\n "fuzzy_max_expansions" : 50,\n "phrase_slop" : 0,\n "analyze_wildcard" : true,\n "time_zone" : "Europe/London",\n "escape" : false,\n "auto_generate_synonyms_phrase_query" : true,\n "fuzzy_transpositions" : true,\n "boost" : 1.0\n }\n }\n ],\n "filter" : [\n {\n "match_all" : {\n "boost" : 1.0\n }\n },\n {\n "match_phrase" : {\n "log.level" : {\n "query" : "error",\n "slop" : 0,\n "zero_terms_query" : "NONE",\n "boost" : 1.0\n }\n }\n },\n {\n "range" : {\n "@timestamp" : {\n "from" : "2019-10-16T23:00:00.000Z",\n "to" : "2019-10-17T22:59:59.999Z",\n "include_lower" : true,\n "include_upper" : true,\n "format" : "strict_date_optional_time",\n "boost" : 1.0\n }\n }\n }\n ],\n "adjust_pure_negative" : true,\n "boost" : 1.0\n }\n}",
"index_uuid": "DtneUPg9QgCN68P2NkDxSA",
"index": "winlogbeat-7.4.0-2019.10.17-000001",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "field expansion matches too many fields, limit: 1024, got: 1475"
}
}
}
]
},

Cheers,

2

The number of fields a query can target is by default limited to 1024 by the the indices.query.bool.max_clause_count setting. It is intended to protect users from accidentally running a query on too many fields (like 1475 in your case) because this typically is not done on purpose but rather by undespecifying the query, and can cause long running, expensive queries. In your case not specifying any "fields" will run the query on all fields. The question is whether this in inteded and/or avoidable. If you do this on purpose in your Kibana visualizations and cannot reduce the query to certain fields you need to update the setting to accomodate for the number of fields you have. More than 1000 fields in an index is remarkably high though and you might want to spent some time asking yourself what all these fields are doing there (or if some of them were e.g. created by accident using dynamic mapping etc...)

Cheers

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.