Index Pattern Matching

tgdesrochers · October 20, 2016, 2:02pm

I am having an issue with index patterns in Kibana 4.5. I had an index pattern named bro, I deleted the index pattern then tried to recreate it but I am getting:

"Unable to fetch mapping. Do you have indices matching the pattern."

The part I am scratching my head at is I had this pattern working right before trying to recreate it.

Currently in my cluster I have multiple indices that contain the word "bro" mostly it shows up as "something-bro-something". I have tried matching index pattern * as well but I get the same "Unable to fetch mapping. Do you have indices matching the pattern." How can I match this pattern? Is there something that would preclude me from matching bro or *?

I've tried in sense to look for the bro index pattern and it is successful:

GET _cat/indices/bro

So why is it that kibana will not locate it?

bevacqua · October 20, 2016, 5:59pm

Tim, thanks for reporting this.

Could you try doing a GET *bro*/_mapping/field/* against Elasticsearch and paste the outputs here?

tgdesrochers · October 23, 2016, 2:32pm

Sorry for the delay. I ran the query and the output is quite large. I can
attach a doc or just paste a sample.

GET localhost:9200/*bro*/_mapping/field/*?pretty
{
  "SANITIZED-bro-SANITIZED-2016.10.08" : {
    "mappings" : {
      "exploitkit" : {
        "IP.SRC.GEOIP.CC" : {
          "full_name" : "IP.SRC.GEOIP.CC",
          "mapping" : {
            "CC" : {
              "type" : "string",
              "fields" : {
                "raw" : {
                  "type" : "string",
                  "index" : "not_analyzed",
                  "ignore_above" : 256
                }
              },
              "analyzer" : "simple"
            }
          }
        },
        "HTTP.REQUEST._FULL.title" : {
          "full_name" : "HTTP.REQUEST._FULL.title",
          "mapping" : {
            "title" : {
              "type" : "string"
            }
          }
        },
        "WHOIS.DAYS_SINCE_CREATION" : {
          "full_name" : "WHOIS.DAYS_SINCE_CREATION",
          "mapping" : {
            "DAYS_SINCE_CREATION" : {
              "type" : "float"
            }
          }
        },
        "DNS.SLACKSPACE.DATA.keywords" : {
          "full_name" : "DNS.SLACKSPACE.DATA.keywords",
          "mapping" : {
            "keywords" : {
              "type" : "string"
            }
          }
        },
        "SSL.HANDSHAKE.CIPHERSUITES.DATA.title" : {
          "full_name" : "SSL.HANDSHAKE.CIPHERSUITES.DATA.title",
          "mapping" : {
            "title" : {
              "type" : "string"
            }
          }
        },
        "JS.UNZIP.DATA.content_length" : {
          "full_name" : "JS.UNZIP.DATA.content_length",
          "mapping" : {
            "content_length" : {
              "type" : "integer"
            }
          }
        },
        "SSL.HANDSHAKE.EXTENSION.DATA.date" : {
          "full_name" : "SSL.HANDSHAKE.EXTENSION.DATA.date",
          "mapping" : {
            "date" : {
              "type" : "date",
              "format" : "strict_date_optional_time||epoch_millis"
            }
          }
        },
        "DATA.DATA.content" : {
          "full_name" : "DATA.DATA.content",
          "mapping" : {
            "content" : {
              "type" : "string"
            }
          }
        },
        "HTTP.CONTENT.HASH" : {
          "full_name" : "HTTP.CONTENT.HASH",
          "mapping" : {
            "HASH" : {
              "type" : "long"
            }
          }
        },
        "DATA.DATA" : {
          "full_name" : "DATA.DATA",
          "mapping" : {
            "DATA" : {
              "type" : "attachment",
              "fields" : {
                "content" : {
                  "type" : "string"
                },
                "author" : {
                  "type" : "string"
                },
                "title" : {
                  "type" : "string"
                },
                "name" : {
                  "type" : "string"
                },
                "date" : {
                  "type" : "date",
                  "format" : "strict_date_optional_time||epoch_millis"
                },
                "keywords" : {
                  "type" : "string"
                },
                "content_type" : {
                  "type" : "string"
                },
                "content_length" : {
                  "type" : "integer"
                },
                "language" : {
                  "type" : "string"
                }
              }
            }
          }
        },
        "SSL.HANDSHAKE.RANDOM_BYTES.name" : {
          "full_name" : "SSL.HANDSHAKE.RANDOM_BYTES.name",
          "mapping" : {
            "name" : {
              "type" : "string"
            }
          }
        },
        "JS.ENG.SCORE" : {
          "full_name" : "JS.ENG.SCORE",
          "mapping" : {
            "SCORE" : {
              "type" : "double"
            }
          }
        },