Out Elastic Search got crashed and seeing Exception QueryParsingException is having no _parent field configured

sbalusu · June 10, 2017, 7:30pm

Intiialially we were seeing this issue of OutOfMemory

[2017-05-31 09:59:55,166][WARN ][cluster.action.shard ] [lsprap001] [ise][3] received shard failed for [ise][3], node[k9q640DcTemqjl2d05RwSw], [P], v[277762], s[INITIALIZING], a[id=l9KUEmZETzqEwIuW3nKRdg], unassigned_info[[reason=ALLOCATION_FAILED], at[2017-05-31T13:59:55.079Z], details[failed recovery, failure IndexShardRecoveryException[failed recovery]; nested: IllegalStateException[translog file doesn't exist with generation: 2 lastCommitted: -1 checkpoint: 7 - translog ids must be consecutive]; ]], indexUUID [fvc1wSmwSKGk6FgkkOmKXg], message [failed recovery], failure [IndexShardRecoveryException[failed recovery]; nested: IllegalStateException[translog file doesn't exist with generation: 2 lastCommitted: -1 checkpoint: 7 - translog ids must be consecutive]; ] [ise][[ise][3]] IndexShardRecoveryException[failed recovery]; nested: IllegalStateException[translog file doesn't exist with generation: 2 lastCommitted: -1 checkpoint: 7 - translog ids must be consecutive];

and leter when we are searching in Elastic Search the below stack trace is seen

Caused by: [ise] QueryParsingException[[has_parent] no _parent field configured]
b. Caused by: [ise] QueryParsingException[[has_child] No mapping for for type [threatEvent]]

"query" : {"match_all" : { }}, parent_type : "contextrepo"}},"_source" : {"includes" : [ ],"excludes" : [ ]},"aggregations" : {"Group By vulnerabilityId" : {"terms" : {"field" : "vulnerabilityId","size" : 0},"aggregations" : {"Group By cvssBaseScore" : {"terms" : {"field" : "cvssBaseScore","size" : 0},"aggregations" : {"Group By vulnerabilityTitle" : {"terms" : {"field" : "vulnerabilityTitle","size" : 0}}}}}}}}]]; nested: QueryParsingException[[has_parent] no _parent field configured];
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:860)
at org.elasticsearch.search.SearchService.createContext(SearchService.java:663)
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:632)
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:374)
at org.elasticsearch.search.action.SearchServiceTransportAction$SearchQueryTransportHandler.messageReceived(SearchServiceTransportAction.java:368)
at org.elasticsearch.search.action.SearchServiceTransportAction$SearchQueryTransportHandler.messageReceived(SearchServiceTransportAction.java:365)
at org.elasticsearch.transport.netty.MessageChannelHandler$RequestHandler.doRun(MessageChannelHandler.java:299)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: [ise] QueryParsingException[[has_parent] no _parent field configured]

can you suggest what might be the issue

dadoonet · June 10, 2017, 8:07pm

Mapping seems incorrect.

sbalusu · June 10, 2017, 8:49pm

Thank you David for replying.Can you please let us know how to correct the mapping.

Let me know if you need any data related to elastic search.

Thanks,
Saroj.

dadoonet · June 10, 2017, 10:33pm

I don't know your mapping, your documents, your queries so I don't think I can guess how to fix.

May be send a full recreation script?

sbalusu · June 11, 2017, 12:22am

should we share the data files of elastic search in elasticsearch/data folder for further analysis on the mapping issue?

dadoonet · June 11, 2017, 1:50am

No. Just provide a script similar to the example provided in About the Elasticsearch category

sbalusu · June 12, 2017, 4:01am

Hi David,

this is our child mapping details

curl -k -X GET "https://localhost:9200/ise/threatEvent/_mapping?pretty"
{
"ise" : {
"mappings" : {
"threatEvent" : {
"dynamic" : "strict",
"_all" : {
"enabled" : false
},
"_parent" : {
"type" : "contextrepo"
},
"_routing" : {
"required" : true
},
"properties" : {
"confidenceLevel" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"courseOfAction" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"incSeverity" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"indSeverity" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"macAddress" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"severityLevel" : {
"type" : "integer"
},
"threatTitle" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"threatType" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"timeStamp" : {
"type" : "date",
"format" : "epoch_millis"
},
"vendor" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
}
}
}
}
}
}

and parent mapping details are

{
"ise" : {
"mappings" : {
"contextrepo" : {
"dynamic" : "strict",
"_all" : {
"enabled" : false
},
"properties" : {
"userName" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
------------------------------------
------------------------------------
}
}
}
}
}
}

We have like 129 properties in contextrepo type.
And its throwning error QueryParsingException[[has_child] No mapping for for type [threatEvent]] for the child mapping after we deleted the index and applied the types on the index again. The data is inserting good to the parent type contextrepo but when we are trying to retrieve info on the threatevent type we are seeing this issue "QueryParsingException[[has_child] No mapping for for type [threatEvent]] "

Hope this helps

dadoonet · June 12, 2017, 7:34am

Can you provide a full script please?

system · July 10, 2017, 7:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.