Recover from mapping explosion

In my system (Kibana 5.1.1) I have 1 event that creating mapping explosion by creating a field that looks something like foo<hashCode> and we had lots of fooXXXX, soon after we reach index.mapping.total_fields.limit.
I change the event to stop doing that by changing it to an array so it would look like foo [hashcode1, hashcode1...]. but now my system is clutter with those junk foo<hashcode>.

Trying to recover I run from dev tool UI _delete_by_query with a query that matches the problematic event.
The response looks valid (see below) but the number of fields didn't decrease - why is that? and how can I delete and reset the fields count

  "took": 211,
  "timed_out": false,
  "total": 117,
  "deleted": 117,
  "batches": 1,
  "version_conflicts": 0,
  "noops": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  "throttled_millis": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0,
  "failures": []

I check the number of fields from UI -> Management and also indexing new events give Limit of total fields error

You will need to put things into a new index, it won't change the existing one.

Thanks for your replay
since this is still in dev I can do that but I rather check if there is other non-distractive mitigation or work around.

For example: dropping the index and then re-play all events (after removing the problematic event) or use the Source Filters while replay

That's pretty much the same thing as I suggested :wink:
It would be the best option.

Thanks again for the fast response.

Since I'm new to Kibana, creating new index will replay all events ?

No you need to do that yourself.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.