Kibana Filtered Queries Failing After ES 1.0 Upgrade

Chris_Decker · February 14, 2014, 2:31pm

All,

I upgraded to elasticsearch 1.0 this morning (the upgrade went very
smoothly). I pulled-up Kibana and saw my normal dashboard - terms,
histogram, and table panels all loaded the expected data.

However, when I try to add filters to the search everything blows up. I'm
hoping that someone can help me track down why this is happening.

Logs:
Kibana loads just fine - terms, histogram and table all show the expected
data:
[14/Feb/2014:09:13:16 -0500] 1.2.3.4 TLSv1.2 DHE-RSA-AES256-SHA256 "GET
/kibana-int/dashboard/Log%20Viewer?1392387196896 HTTP/1.1" 3293
[14/Feb/2014:09:13:17 -0500] 1.2.3.4 TLSv1.2 DHE-RSA-AES256-SHA256 "GET
/logstash-2014.02.14,logstash-2014.02.14/_aliases?ignore_missing=true
HTTP/1.1" 56
[14/Feb/2014:09:13:17 -0500] 1.2.3.4 TLSv1.2 DHE-RSA-AES256-SHA256 "GET
/logstash-2014.02.14/_mapping HTTP/1.1" 698
[14/Feb/2014:09:13:17 -0500] 1.2.3.4 TLSv1.2 DHE-RSA-AES256-SHA256 "POST
/logstash-2014.02.14/_search?search_type=count HTTP/1.1" 654
[14/Feb/2014:09:13:17 -0500] 1.2.3.4 TLSv1.2 DHE-RSA-AES256-SHA256 "POST
/logstash-2014.02.14/_search HTTP/1.1" 209
[14/Feb/2014:09:13:17 -0500] 1.2.3.4 TLSv1.2 DHE-RSA-AES256-SHA256 "POST
/logstash-2014.02.14/_search HTTP/1.1" 68847

If I try to perform a search for:
field must
field : action
query : "REGISTER"

Then I get the following error back from Kibana:

Oops! SearchParseException[[logstash-2014.02.14][2]: from[-1],size[-1]:
Parse Failure [Failed to parse source
[{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1392386184987,"to":"now"}}},{"fquery":{"query":{"field":{"action":{"query":""REGISTER""}}},"_cache":true}}]}}}},"highlight":{"fields":{"type":{}},"fragment_size":2147483647,"pre_tags":["@start-highlight@"],"post_tags":["@end-highlight@"]},"size":1000,"sort":[{"@timestamp":{"order":"desc"}}]}]]]

# The elasticsearch logs show the following:

[2014-02-14 09:11:24,992][DEBUG][action.search.type ] [es1]
[logstash-2014.02.14][1], node[UuiFJ2izTeuhfUFlFiz_RA], [R], s[STARTED]:
Failed to execute [org.elasticsearch.action.search.SearchRequest@1f977bb3]
lastShard [true]
org.elasticsearch.transport.RemoteTransportException:
[es2][inet[/5.6.7.8:9300]][search/phase/query]
Caused by: org.elasticsearch.search.SearchParseException:
[logstash-2014.02.14][1]: from[-1],size[-1]: Parse Failure [Failed to parse
source
[{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1392386184987,"to":"now"}}},{"fquery":{"query":{"field":{"action":{"query":""REGISTER""}}},"_cache":true}}]}}}},"highlight":{"fields":{"type":{}},"fragment_size":2147483647,"pre_tags":["@start-highlight@"],"post_tags":["@end-highlight@"]},"size":1000,"sort":[{"@timestamp":{"order":"desc"}}]}]]
at
org.elasticsearch.search.SearchService.parseSource(SearchService.java:586)
at
org.elasticsearch.search.SearchService.createContext(SearchService.java:489)
at
org.elasticsearch.search.SearchService.createContext(SearchService.java:474)
at
org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:467)
at
org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:239)
at
org.elasticsearch.search.action.SearchServiceTransportAction$SearchQueryTransportHandler.messageReceived(SearchServiceTransportAction.java:623)
at
org.elasticsearch.search.action.SearchServiceTransportAction$SearchQueryTransportHandler.messageReceived(SearchServiceTransportAction.java:612)
at
org.elasticsearch.transport.netty.MessageChannelHandler$RequestHandler.run(MessageChannelHandler.java:270)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: org.elasticsearch.index.query.QueryParsingException:
[logstash-2014.02.14] No query registered for [field]
at
org.elasticsearch.index.query.QueryParseContext.parseInnerQuery(QueryParseContext.java:221)
at
org.elasticsearch.index.query.FQueryFilterParser.parse(FQueryFilterParser.java:66)
at
org.elasticsearch.index.query.QueryParseContext.executeFilterParser(QueryParseContext.java:279)
at
org.elasticsearch.index.query.QueryParseContext.parseInnerFilter(QueryParseContext.java:260)
at
org.elasticsearch.index.query.BoolFilterParser.parse(BoolFilterParser.java:92)
at
org.elasticsearch.index.query.QueryParseContext.executeFilterParser(QueryParseContext.java:279)
at
org.elasticsearch.index.query.QueryParseContext.parseInnerFilter(QueryParseContext.java:260)
at
org.elasticsearch.index.query.FilteredQueryParser.parse(FilteredQueryParser.java:74)
at
org.elasticsearch.index.query.QueryParseContext.parseInnerQuery(QueryParseContext.java:223)
at
org.elasticsearch.index.query.IndexQueryParserService.parse(IndexQueryParserService.java:321)
at
org.elasticsearch.index.query.IndexQueryParserService.parse(IndexQueryParserService.java:260)
at
org.elasticsearch.search.query.QueryParseElement.parse(QueryParseElement.java:33)
at
org.elasticsearch.search.SearchService.parseSource(SearchService.java:574)
... 10 more
[2014-02-14 09:11:24,992][DEBUG][action.search.type ] [es1] All
shards failed for phase: [query]

I have a 3 node cluster - 2 machines are data nodes. I tried shutting
down various combinations of elasticsearch servers and I get the same
error.

Copying/pasting the same query into Marvel Sense shows the same issue.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/96d42e01-151c-45ec-84a0-66ad7e7b7f6e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Binh_Ly · February 14, 2014, 3:38pm

I'm curious if you're running the latest Kibana, or an older one.

The field query has been deprecated (and removed in ES 1.0) which is the
cause of your error:

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/_deprecations.html

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d3403e9e-09d4-4334-930e-ce84abacf899%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Chris_Decker · February 14, 2014, 3:41pm

Yes - I downloaded the master from GitHub and was running still seeing the
issue.

On Friday, February 14, 2014 10:38:49 AM UTC-5, Binh Ly wrote:

I'm curious if you're running the latest Kibana, or an older one.

The field query has been deprecated (and removed in ES 1.0) which is the
cause of your error:

Elasticsearch Platform — Find real-time answers at scale | Elastic

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/a4a88f67-e5b8-4945-ad56-586ac5b34b48%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Chris_Decker · February 14, 2014, 3:42pm

Note that I'm using the past tense only because I reverted back to ES
0.90.9, not because I figured out how to solve the issue

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/7c9221a1-0866-4e46-a345-92d99cc176d0%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Binh_Ly · February 14, 2014, 4:13pm

Strange. Just want to confirm your behavior again. I just downloaded Kibana
3 and I hover on the top left and says Kibana 3 milestone pre 5. I clear
all my browser cache to ensure there is no old Kibana code lurking around.
Then I create a new logstash dashboard. Then I go to the filtering section
and add a new filter. I get a new filter and it says querystring, must, and
a query box (there are no other options/choices). I do not see the ability
to add a field filter though.

Can you confirm if we have the same behavior or something you're seeing is
different from mine?

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9bd93b6e-a6a7-4dab-8d66-c88c25feea6f%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Chris_Decker · February 14, 2014, 6:14pm

Binh,

First let me thank you for helping me track down what’s going on here.

So I can confirm that everything I see is the same as what you saw (with the exception that at the end of the Kibana version mine says [master]). If I enter a query for:
querystring must
query : action:connect

…then the expected results come back.

Try this now:
Go to your logstash dashboard and click one of the rows. Click the magnifying glass near one of the fields and see if you get back results.

The above is how my users are the primary way that my users add filters to find what they’re looking for, and that’s the part that isn’t working for me.

Thanks,
Chris

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.52fe5cf3.79e2a9e3.e8%40april.sos.its.psu.edu.
For more options, visit https://groups.google.com/groups/opt_out.

Binh_Ly · February 14, 2014, 6:56pm

Chris,

I tried your suggestion, in the table panel, I opened 1 row, and then
filtered (magnifying glass) on 1 field. It indeed added a field filter -
must, field, and value. However, it re-executed all the queries properly.
The new filter translated to this part in the query (which looks valid to
me):

                {
                  "fquery": {
                    "query": {
                      "query_string": {
                        "query": "_type:(\"apache\")"
                      }
                    },
                    "_cache": true
                  }
                }

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/56c7f1d8-8936-4622-baf9-068b035b424c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.