Error since 7.4 upgrade - field expansion matches too many fields

L33T · October 17, 2019, 3:18pm

Hi,

Whenever i view any of my dashboards i get the below... How can i debug this?

{
"took": 48,
"timed_out": false,
"_shards": {
"total": 188,
"successful": 187,
"skipped": 172,
"failed": 1,
"failures": [
{
"shard": 0,
"index": "winlogbeat-7.4.0-2019.10.17-000001",
"node": "E6igdheIRFKMNeTpM2tbLA",
"reason": {
"type": "query_shard_exception",
"reason": "failed to create query: {\n "bool" : {\n "must" : [\n {\n "query_string" : {\n "query" : "",\n "default_field" : "",\n "fields" : ,\n "type" : "best_fields",\n "default_operator" : "or",\n "max_determinized_states" : 10000,\n "enable_position_increments" : true,\n "fuzziness" : "AUTO",\n "fuzzy_prefix_length" : 0,\n "fuzzy_max_expansions" : 50,\n "phrase_slop" : 0,\n "analyze_wildcard" : true,\n "time_zone" : "Europe/London",\n "escape" : false,\n "auto_generate_synonyms_phrase_query" : true,\n "fuzzy_transpositions" : true,\n "boost" : 1.0\n }\n }\n ],\n "filter" : [\n {\n "match_all" : {\n "boost" : 1.0\n }\n },\n {\n "match_phrase" : {\n "log.level" : {\n "query" : "error",\n "slop" : 0,\n "zero_terms_query" : "NONE",\n "boost" : 1.0\n }\n }\n },\n {\n "range" : {\n "@timestamp" : {\n "from" : "2019-10-16T23:00:00.000Z",\n "to" : "2019-10-17T22:59:59.999Z",\n "include_lower" : true,\n "include_upper" : true,\n "format" : "strict_date_optional_time",\n "boost" : 1.0\n }\n }\n }\n ],\n "adjust_pure_negative" : true,\n "boost" : 1.0\n }\n}",
"index_uuid": "DtneUPg9QgCN68P2NkDxSA",
"index": "winlogbeat-7.4.0-2019.10.17-000001",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "field expansion matches too many fields, limit: 1024, got: 1475"
}
}
}
]
},

Cheers,

cbuescher · October 21, 2019, 1:47pm

The number of fields a query can target is by default limited to 1024 by the the indices.query.bool.max_clause_count setting. It is intended to protect users from accidentally running a query on too many fields (like 1475 in your case) because this typically is not done on purpose but rather by undespecifying the query, and can cause long running, expensive queries. In your case not specifying any "fields" will run the query on all fields. The question is whether this in inteded and/or avoidable. If you do this on purpose in your Kibana visualizations and cannot reduce the query to certain fields you need to update the setting to accomodate for the number of fields you have. More than 1000 fields in an index is remarkably high though and you might want to spent some time asking yourself what all these fields are doing there (or if some of them were e.g. created by accident using dynamic mapping etc...)

Cheers

system · November 18, 2019, 1:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.