Having Issues query since upgraded to ES 5.6

Hello,
I recently updated our security dashboard Elasticsearch based version to latest 5.63 , since then we having issues in some of our visualization , i can see its related to “Fielddata is disabled on text fields” , any suggestion for fixing it, or another way to query same result?
Thanks

{
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [SrcIp] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
}
],
"type": "search_phase_execution_exception",
"reason": "all shards failed",
"phase": "query",
"grouped": true,
"failed_shards": [
{
"shard": 0,
"index": "ids_sensors",
"node": "pYd_mhyPTvO01n9wGK1pLQ",
"reason": {
"type": "illegal_argument_exception",
"reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [SrcIp] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
}
}
]
}

The problem is that the SrcIp field is a text field and elasticsearch no longer builds field data for text fields by default. The suggestion on how to fix it is actually in the text of the error message that you posted

In other words you need to set the mapping for this field to keyword or use SrcIp.keyword field instead if you used dynamic mapping, or you need to enable fielddata on this field if first two suggestions don't work for you for some reason.

Please see the "Fielddata is disabled on text fields by default" section of the elasticsearch documentation for more information.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.