Finding documents with message field exceeding 1 mln characters

elk1985 · February 21, 2024, 12:02pm

Hello.
I'm getting error regarding exceeded message field length (over 1 mln characters).
I want to identify them. I found a script in painless language:

GET /your_index/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "script": {
            "script": {
              "source": "doc['message.keyword'].value.length() > 1000000",
              "lang": "painless"
            }
          }
        }
      ]
    }
  }
}

I'm getting

Unhandled Exception illegal_argument_exception

unexpected token ['{'] was expecting one of [{<EOF>, ';'}].

Stack:
[
  "GET /your_index/_search\n{\n  \"query\": {\n    \"bool\" ...",
  "                        ^---- HERE"
]

What's wrong here. Any ideas ?

elk1985 · February 26, 2024, 9:21am

Hey. I have problems with this script - it will probably won't work.
I have question regarding Mapper size plugin. If I will install it now will I be able to search for large documents in indexes from past (4 months back) ?

Maper size plugin

dadoonet · February 26, 2024, 11:43am

No. It works only on updated or new documents.

dadoonet · February 26, 2024, 11:44am

From where are you running this?

elk1985 · February 27, 2024, 8:47am

I was running it from Dev Tools. I was able to fix the script. But it was not working on text fields. So instead i used Size mapper plugin. It works like a charm.
And You are correct - plugin works only after You enable it in template or in new index.
Regards

system · March 26, 2024, 8:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.