Failed to execute fetch phase - Field does not support custom formats

opoplawski · February 27, 2019, 4:05pm

We just added winlogbeat data to our elasticsearch setup. But now kibana will not show any results for the winlogbeat-* index pattern. Dury the query elasticsearch reports:
[2019-02-27T07:56:51,417][DEBUG][o.e.a.s.TransportSearchAction] [riXPT11] [24219] Failed to execute fetch phase
org.elasticsearch.transport.RemoteTransportException: [riXPT11][127.0.0.1:9300][indices:data/read/search[phase/fetch/id]]
Caused by: java.lang.IllegalArgumentException: Field [event_data.DeviceTime] of type [keyword] does not support custom formats
at org.elasticsearch.index.mapper.MappedFieldType.docValueFormat(MappedFieldType.java:471) ~[elasticsearch-6.6.1.jar:6.6.1]

I checked the index template for winlogbeat-6.6.1-* and there is no entry for event_data.DeviceTime. Is that an oversight?

opoplawski · February 27, 2019, 4:46pm

I also see "3 out of 812 shards failed". Is there some way to see what shards are failing?

system · March 27, 2019, 4:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field [winlog.event_data.ProcessCreationTime] of type [keyword] does not support custom formats Beats winlogbeat	5	3619	July 2, 2020
Custom format isn't supported Elasticsearch	11	6614	July 5, 2017
Winlogbeat/filebeat not sending data to elasticsearch Beats elastic-stack-security , filebeat	2	256	August 29, 2023
Beats / Kibana custom format isn't supported Beats metricbeat	2	1150	May 22, 2017
Error in Winlogbeat logs Beats winlogbeat	11	2333	August 16, 2018

Failed to execute fetch phase - Field does not support custom formats

Related topics