Recover from mapping explosion

Ziv_Farjun · June 22, 2017, 10:01am

In my system (Kibana 5.1.1) I have 1 event that creating mapping explosion by creating a field that looks something like foo<hashCode> and we had lots of fooXXXX, soon after we reach index.mapping.total_fields.limit.
I change the event to stop doing that by changing it to an array so it would look like foo [hashcode1, hashcode1...]. but now my system is clutter with those junk foo<hashcode>.

Trying to recover I run from dev tool UI _delete_by_query with a query that matches the problematic event.
The response looks valid (see below) but the number of fields didn't decrease - why is that? and how can I delete and reset the fields count

{
  "took": 211,
  "timed_out": false,
  "total": 117,
  "deleted": 117,
  "batches": 1,
  "version_conflicts": 0,
  "noops": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "throttled_millis": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0,
  "failures": []
}

I check the number of fields from UI -> Management and also indexing new events give Limit of total fields error

warkolm · June 22, 2017, 10:30am

You will need to put things into a new index, it won't change the existing one.

Ziv_Farjun · June 22, 2017, 11:08am

Thanks for your replay
since this is still in dev I can do that but I rather check if there is other non-distractive mitigation or work around.

For example: dropping the index and then re-play all events (after removing the problematic event) or use the Source Filters while replay

warkolm · June 22, 2017, 11:09am

That's pretty much the same thing as I suggested
It would be the best option.

Ziv_Farjun · June 22, 2017, 11:10am

Thanks again for the fast response.

Since I'm new to Kibana, creating new index will replay all events ?

warkolm · June 22, 2017, 11:31pm

No you need to do that yourself.

system · July 20, 2017, 11:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.