Failed to execute fetch phase - Field does not support custom formats

opoplawski · February 27, 2019, 4:05pm

We just added winlogbeat data to our elasticsearch setup. But now kibana will not show any results for the winlogbeat-* index pattern. Dury the query elasticsearch reports:
[2019-02-27T07:56:51,417][DEBUG][o.e.a.s.TransportSearchAction] [riXPT11] [24219] Failed to execute fetch phase
org.elasticsearch.transport.RemoteTransportException: [riXPT11][127.0.0.1:9300][indices:data/read/search[phase/fetch/id]]
Caused by: java.lang.IllegalArgumentException: Field [event_data.DeviceTime] of type [keyword] does not support custom formats
at org.elasticsearch.index.mapper.MappedFieldType.docValueFormat(MappedFieldType.java:471) ~[elasticsearch-6.6.1.jar:6.6.1]

I checked the index template for winlogbeat-6.6.1-* and there is no entry for event_data.DeviceTime. Is that an oversight?

opoplawski · February 27, 2019, 4:46pm

I also see "3 out of 812 shards failed". Is there some way to see what shards are failing?

system · March 27, 2019, 4:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field [winlog.event_data.ProcessCreationTime] of type [keyword] does not support custom formats Beats winlogbeat	5	3601	July 2, 2020
Field [@timestamp] of type [keyword] does not support custom time zones Beats packetbeat	2	6818	July 3, 2018
Winlogbeat/filebeat not sending data to elasticsearch Beats elastic-stack-security , filebeat	2	256	August 29, 2023
Failed to execute operation for shard Elasticsearch	6	1692	July 5, 2017
Failed to execute fetch phase org.elasticsearch.transport.RemoteTransportException Elasticsearch	3	2160	October 24, 2017

Failed to execute fetch phase - Field does not support custom formats

Related Topics