Hello All,
I have a issue that I cannot figure out:
I'm running v5.2 but had the same issue on v5.1.2.
I have a index with a few documents in that I want to update with a tag if they match a IP address in the host field so I tried this and it worked for most of the documents but not all:
{
"error": {
"root_cause": [
{
"type": "script_exception",
"reason": "runtime error",
"script_stack": [
"if (ctx._source.tags.contains(params.tag)) {",
" ^---- HERE"
],
"script": "if (ctx._source.tags.contains(params.tag)) {ctx.op='noop'} else {ctx._source.tags.add(params.tag)}",
"lang": "painless"
}
],
"type": "script_exception",
"reason": "runtime error",
"caused_by": {
"type": "null_pointer_exception",
"reason": null
},
"script_stack": [
"if (ctx._source.tags.contains(params.tag)) {",
" ^---- HERE"
],
"script": "if (ctx._source.tags.contains(params.tag)) {ctx.op='noop'} else {ctx._source.tags.add(params.tag)}",
"lang": "painless"
},
"status": 500
}
And got the following error:
{
"_index": "redspam-test3-olddata",
"_type": "redspam",
"_id": "AVXkX_iFyWbKOs9iOEc6",
"_version": 5,
"found": true,
"_source": {
"subnet": "x.x.x.x/24",
"AMC_HostDomain": "test.com",
"message": """deviceid="RedSpam Server", timestamp="2016-07-13 14:08:57.466106", msgtype="Invoke", customer="RedSpam", subnet="x.x.x.x/24", alertid="none"""",
"type": "redspam",
"deviceid": "RedSpam Server",
"tags": [
"test-mm",
"redspam_mitigation_service",
"redspam_admintool"
],
"@timestamp": "2016-07-13T13:09:02.625Z",
"AMC_HostName": null,
"@version": "1",
"host": "10.0.10.100",
"alertid": "none",
"msgtype": "Invoke",
"timestamp": "2016-07-13 14:08:57.466106",
"customer": "RedSpam",
"AMC_HostIP": "10.0.10.100"
}
}
I have three documents here:
Document 1 (that worked earlier and have been tagged correctly):
{
"_index": "redspam-test3-olddata",
"_type": "redspam",
"_id": "AVXkX_iFyWbKOs9iOEc6",
"_version": 5,
"found": true,
"_source": {
"subnet": "x.x.x.x/24",
"AMC_HostDomain": "test.com",
"message": """deviceid="RedSpam Server", timestamp="2016-07-13 14:08:57.466106", msgtype="Invoke", customer="RedSpam", subnet="x.x.x.x/24", alertid="none"""",
"type": "redspam",
"deviceid": "RedSpam Server",
"tags": [
"test-mm",
"redspam_mitigation_service",
"redspam_admintool"
],
"@timestamp": "2016-07-13T13:09:02.625Z",
"AMC_HostName": null,
"@version": "1",
"host": "10.0.10.100",
"alertid": "none",
"msgtype": "Invoke",
"timestamp": "2016-07-13 14:08:57.466106",
"customer": "RedSpam",
"AMC_HostIP": "10.0.10.100"
}
}
Document 2 (that didn't work):
{
"_index": "redspam-test3-olddata",
"_type": "redspam",
"_id": "AVW6RvY1ebvilZTU5GPd",
"_version": 3,
"found": true,
"_source": {
"@timestamp": "2016-07-05T09:02:30.564Z",
"AMC_HostName": null,
"@version": "1",
"host": "10.0.10.100",
"AMC_HostDomain": "test.com",
"message": "RedSpam subnet checked",
"type": "redspam",
"AMC_HostIP": "10.0.10.100"
}
}
Document 3 (that didn't work either):
{
"_index": "redspam-test3-olddata",
"_type": "redspam",
"_id": "AVW7xZhLebvilZTU6ODL",
"_version": 4,
"found": true,
"_source": {
"@timestamp": "2016-07-05T16:00:26.736Z",
"AMC_HostName": null,
"@version": "1",
"host": "10.0.10.100",
"AMC_HostDomain": "test.com",
"message": """deviceid="RedSpam Server", Date/Time="2016-07-05 17:00:24.114118", msgtype="Subnet Check"""",
"type": "redspam",
"tags": [
"test-mm"
],
"AMC_HostIP": "10.0.10.100"
}
}
I cannot figure out what I'm doing wrong as the script should work on document 2 and 3 but it doesn't. I may be able to understand why it doesn't work on document 2 as there is no tags list / map / set in that document but it should then work for document 3 where there is a tags list / map / set that it can add another tag to.
If I run a count to see how many documents I have matching the query I get 78 documents back so it's not the query that for some reason doesn't work on those documents.
GET redspam-test3-olddata/redspam/_count
{
"query": {
"term": {
"host": "10.0.10.100"
}
}
}
Results in:
{
"count": 78,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
}
}
What am I missing?