Hi!
I have faced the issue with watcher during data aggregation. The watcher works fine without aggregation, but after trying to group values I get this error:
"type": "illegal_argument_exception",
"reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [protoPayload.resourceName] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
Is it problem with mapping?
here is my watcher:
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"gcp-test-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 100,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.query_period}}",
"lte": "now"
}
}
},
{
"match": {
"protoPayload.methodName": "protoPayload.authorizationInfo.resourceAttributes.name"
}
}
]
}
},
"aggs": {
"1": {
"terms": {
"field": "protoPayload.resourceName",
"size": 100
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.1.buckets.doc_count": {
"gt": 0
}
}
},
"actions": {},
"metadata": {
"query_period": "5m"
},
"transform": {
"script": {
"source": "def payload = ctx.payload; payload.starttime = Instant.ofEpochMilli(ctx.execution_time.getMillis()-1800000); payload.endtime = ctx.execution_time; return payload;",
"lang": "painless"
}
}
}
