Kibana Bad Request when creating index pattern

*** SEE EDIT BELOW ***

Hey.
Since we have upgraded ELK stack to version 7.7.1 the Kibana keeps presenting error messages of "bad request" to elasticsearch when we perform index field refresh and now when we are trying to create a new index pattern.

I know for a fact that an index have time field "@timestamp", but when trying to create kibana index pattern I get this message:
"The indices which match this index pattern don't contain any time fields."

In the browser console I see the following error:

commons.bundle.js:3 GET https://HIDDEN-HOST/kibana/api/index_patterns/_fields_for_wildcard?pattern=waf-*&meta_fields=_source 400 (Bad Request)
_callee3$ @ commons.bundle.js:3
l @ kbn-ui-shared-deps.js:288
(anonymous) @ kbn-ui-shared-deps.js:288
forEach.e. @ kbn-ui-shared-deps.js:288
asyncGeneratorStep @ commons.bundle.js:3
_next @ commons.bundle.js:3
(anonymous) @ commons.bundle.js:3
(anonymous) @ commons.bundle.js:3
fetchResponse @ commons.bundle.js:3
_callee$ @ commons.bundle.js:3
l @ kbn-ui-shared-deps.js:288
(anonymous) @ kbn-ui-shared-deps.js:288
forEach.e. @ kbn-ui-shared-deps.js:288
asyncGeneratorStep @ commons.bundle.js:3
_next @ commons.bundle.js:3
Promise.then (async)
asyncGeneratorStep @ commons.bundle.js:3
_next @ commons.bundle.js:3
(anonymous) @ commons.bundle.js:3
(anonymous) @ commons.bundle.js:3
(anonymous) @ commons.bundle.js:3
_callee2$ @ commons.bundle.js:3
l @ kbn-ui-shared-deps.js:288
(anonymous) @ kbn-ui-shared-deps.js:288
forEach.e. @ kbn-ui-shared-deps.js:288
asyncGeneratorStep @ commons.bundle.js:3
_next @ commons.bundle.js:3
(anonymous) @ commons.bundle.js:3
(anonymous) @ commons.bundle.js:3
(anonymous) @ commons.bundle.js:3
_request @ data.plugin.js:6
getFieldsForWildcard @ data.plugin.js:6
fetchForWildcard @ data.plugin.js:25
_callee$ @ kibana.bundle.js:2
l @ kbn-ui-shared-deps.js:288
(anonymous) @ kbn-ui-shared-deps.js:288
forEach.e. @ kbn-ui-shared-deps.js:288
asyncGeneratorStep @ kibana.bundle.js:2
_next @ kibana.bundle.js:2
Promise.then (async)
asyncGeneratorStep @ kibana.bundle.js:2
_next @ kibana.bundle.js:2
(anonymous) @ kibana.bundle.js:2
(anonymous) @ kibana.bundle.js:2
componentDidMount @ kibana.bundle.js:2
vl @ kbn-ui-shared-deps.js:342
t.unstable_runWithPriority @ kbn-ui-shared-deps.js:350
Hi @ kbn-ui-shared-deps.js:342
yl @ kbn-ui-shared-deps.js:342
ol @ kbn-ui-shared-deps.js:342
(anonymous) @ kbn-ui-shared-deps.js:342
t.unstable_runWithPriority @ kbn-ui-shared-deps.js:350
Hi @ kbn-ui-shared-deps.js:342
Gi @ kbn-ui-shared-deps.js:342
Yi @ kbn-ui-shared-deps.js:342
se @ kbn-ui-shared-deps.js:342
An @ kbn-ui-shared-deps.js:342
commons.bundle.js:3 Detected an unhandled Promise rejection.
Error: Bad Request
data.plugin.js:6 Uncaught (in promise) Error: Bad Request
at data.plugin.js:6

*** EDIT ***
I have taken the request and tried to run it on another tab getting the same error:

https://hidden-host/kibana/api/index_patterns/_fields_for_wildcard?pattern=waf-*&meta_fields=_source

Response:

{"statusCode":400,"error":"Bad Request","message":"Bad Request"}

When I manually removed the end of the request:

&meta_fields=_source

I get the following response:

{"fields":[{"name":"@timestamp","type":"date","esTypes":["date"],"searchable":true,"aggregatable":true,"readFromDocValues":true},{"name":"@version","type":"string","esTypes":["text"],"searchable":true,"aggregatable":false,"readFromDocValues":false},{"name":"@version.keyword","type":"string","esTypes":["keyword"],"searchable":true,"aggregatable":true,"readFromDocValues":true,"subType":{"multi":{"parent":"@version"}}},{"name":"filename","type":"string","esTypes":["text"],"searchable":true,"aggregatable":false,"readFromDocValues":false},{"name":"filename.keyword","type":"string","esTypes":["keyword"],"searchable":true,"aggregatable":true,"readFromDocValues":true,"subType":{"multi":{"parent":"filename"}}},{"name":"host","type":"string","esTypes":["text"],"searchable":true,"aggregatable":false,"readFromDocValues":false},{"name":"host.keyword","type":"string","esTypes":["keyword"],"searchable":true,"aggregatable":true,"readFromDocValues":true,"subType":{"multi":{"parent":"host"}}},{"name":"message","type":"string","esTypes":["text"],"searchable":true,"aggregatable":false,"readFromDocValues":false},{"name":"message.keyword","type":"string","esTypes":["keyword"],"searchable":true,"aggregatable":true,"readFromDocValues":true,"subType":{"multi":{"parent":"message"}}},{"name":"path","type":"string","esTypes":["text"],"searchable":true,"aggregatable":false,"readFromDocValues":false},{"name":"path.keyword","type":"string","esTypes":["keyword"],"searchable":true,"aggregatable":true,"readFromDocValues":true,"subType":{"multi":{"parent":"path"}}},{"name":"tags","type":"string","esTypes":["text"],"searchable":true,"aggregatable":false,"readFromDocValues":false},{"name":"tags.keyword","type":"string","esTypes":["keyword"],"searchable":true,"aggregatable":true,"readFromDocValues":true,"subType":{"multi":{"parent":"tags"}}},{"name":"type","type":"string","esTypes":["text"],"searchable":true,"aggregatable":false,"readFromDocValues":false},{"name":"type.keyword","type":"string","esTypes":["keyword"],"searchable":true,"aggregatable":true,"readFromDocValues":true,"subType":{"multi":{"parent":"type"}}}]}

Can anyone explain why is it working without the meta fields? or how can I cause Kibana to not add this to the request?
I see no special errors on Kibana service or on the ES nodes...

*** EDIT2 ***
Tried different browsers- none work. they all have the same issue.

Please help me!
Thank you.

What version are you upgrading from?

What permissions does the user have when the index pattern field refresh occurs? Do you see any errors in the kibana or elasticsearch logs?

Is it possible for you to provide a har file of the failure to refresh the field list?

You could also try requesting the field list via kibana dev tools using the field caps api which is the underlying mechanism producing the field list - https://www.elastic.co/guide/en/elasticsearch/reference/current/search-field-caps.html

Aside from the error, everything else I see is correct.

Okay,
So I have managed to contact our Platinum Elasticsearch support.
After a session of debugging the issue we have figured out that the issue was due to a configuration change in the Kibana -> Advanced Settings -> meta fields, value was changed from:

_source, _id, _type, _index, _score

to:

_source

Which caused a bad request like (which returned Bad Request 400 response):

https://hidden-host/kibana/api/index_patterns/_fields_for_wildcard?pattern=waf-*&meta_fields=_source

Instead of:

https://hidden-host/kibana/api/index_patterns/_fields_for_wildcard?pattern=waf-*&meta_fields=_source&meta_fields=_id&meta_fields=_type&meta_fields=_index&meta_fields=_score

After resetting the meta fields configuration to default everything was working normal again.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.