Out Elastic Search got crashed and seeing Exception QueryParsingException is having no _parent field configured

Elastic Stack Elasticsearch
1

Intiialially we were seeing this issue of OutOfMemory

[2017-05-31 09:59:55,166][WARN ][cluster.action.shard ] [lsprap001] [ise][3] received shard failed for [ise][3], node[k9q640DcTemqjl2d05RwSw], [P], v[277762], s[INITIALIZING], a[id=l9KUEmZETzqEwIuW3nKRdg], unassigned_info[[reason=ALLOCATION_FAILED], at[2017-05-31T13:59:55.079Z], details[failed recovery, failure IndexShardRecoveryException[failed recovery]; nested: IllegalStateException[translog file doesn't exist with generation: 2 lastCommitted: -1 checkpoint: 7 - translog ids must be consecutive]; ]], indexUUID [fvc1wSmwSKGk6FgkkOmKXg], message [failed recovery], failure [IndexShardRecoveryException[failed recovery]; nested: IllegalStateException[translog file doesn't exist with generation: 2 lastCommitted: -1 checkpoint: 7 - translog ids must be consecutive]; ] [ise][[ise][3]] IndexShardRecoveryException[failed recovery]; nested: IllegalStateException[translog file doesn't exist with generation: 2 lastCommitted: -1 checkpoint: 7 - translog ids must be consecutive];

and leter when we are searching in Elastic Search the below stack trace is seen

Caused by: [ise] QueryParsingException[[has_parent] no _parent field configured]
b. Caused by: [ise] QueryParsingException[[has_child] No mapping for for type [threatEvent]]

"query" : {"match_all" : { }}, parent_type : "contextrepo"}},"_source" : {"includes" : [ ],"excludes" : [ ]},"aggregations" : {"Group By vulnerabilityId" : {"terms" : {"field" : "vulnerabilityId","size" : 0},"aggregations" : {"Group By cvssBaseScore" : {"terms" : {"field" : "cvssBaseScore","size" : 0},"aggregations" : {"Group By vulnerabilityTitle" : {"terms" : {"field" : "vulnerabilityTitle","size" : 0}}}}}}}}]]; nested: QueryParsingException[[has_parent] no _parent field configured];
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:860)
at org.elasticsearch.search.SearchService.createContext(SearchService.java:663)
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:632)
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:374)
at org.elasticsearch.search.action.SearchServiceTransportAction$SearchQueryTransportHandler.messageReceived(SearchServiceTransportAction.java:368)
at org.elasticsearch.search.action.SearchServiceTransportAction$SearchQueryTransportHandler.messageReceived(SearchServiceTransportAction.java:365)
at org.elasticsearch.transport.netty.MessageChannelHandler$RequestHandler.doRun(MessageChannelHandler.java:299)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: [ise] QueryParsingException[[has_parent] no _parent field configured]

can you suggest what might be the issue

2

Mapping seems incorrect.

3

Thank you David for replying.Can you please let us know how to correct the mapping.

Let me know if you need any data related to elastic search.

Thanks,
Saroj.

4

I don't know your mapping, your documents, your queries so I don't think I can guess how to fix.

May be send a full recreation script?

5

should we share the data files of elastic search in elasticsearch/data folder for further analysis on the mapping issue?

6

No. Just provide a script similar to the example provided in About the Elasticsearch category

7

Hi David,

this is our child mapping details

curl -k -X GET "https://localhost:9200/ise/threatEvent/_mapping?pretty"
{
"ise" : {
"mappings" : {
"threatEvent" : {
"dynamic" : "strict",
"_all" : {
"enabled" : false
},
"_parent" : {
"type" : "contextrepo"
},
"_routing" : {
"required" : true
},
"properties" : {
"confidenceLevel" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"courseOfAction" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"incSeverity" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"indSeverity" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"macAddress" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"severityLevel" : {
"type" : "integer"
},
"threatTitle" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"threatType" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
},
"timeStamp" : {
"type" : "date",
"format" : "epoch_millis"
},
"vendor" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
}
}
}
}
}
}

and parent mapping details are

{
"ise" : {
"mappings" : {
"contextrepo" : {
"dynamic" : "strict",
"_all" : {
"enabled" : false
},
"properties" : {
"userName" : {
"type" : "string",
"analyzer" : "case_insensitive_analyzer"
------------------------------------
------------------------------------
}
}
}
}
}
}

We have like 129 properties in contextrepo type.
And its throwning error QueryParsingException[[has_child] No mapping for for type [threatEvent]] for the child mapping after we deleted the index and applied the types on the index again. The data is inserting good to the parent type contextrepo but when we are trying to retrieve info on the threatevent type we are seeing this issue "QueryParsingException[[has_child] No mapping for for type [threatEvent]] "

Hope this helps

8

Can you provide a full script please?

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.