ML - Datafeed is encountering errors extracting data: all shards failed

richcollier · February 23, 2021, 9:52pm

It's quite possible that the query being run by Kibana (the one that "works") looks more like the following, behind the scenes:

  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "event.action": "EXECVE"
                }
              }
            ],
            "minimum_should_match": 1
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }

richcollier · February 23, 2021, 9:55pm

The motivation for using v7.11 is that many of the ML jobs are now directly enabled via the Security (SIEM) app

cezar996 · February 24, 2021, 12:57pm

It perfectly worked! Congratulations, you are a genius!! However, I have a question: if I run packetbeat during the day and during the night not, then in the next day when I create a ML job which uses the packetbeat data, it will also take into consideration the pause period which was during the night, or it will automatically calculate and take the data just when was packetbeat running?

cezar996 · February 24, 2021, 12:59pm

I will consider upgrading to this version! Thanks for this information!