Reticulating Splines - ES6.3.2 w/Kibana on ECE

I'm posting this in ECE as the ES clusters live inside ECE, but that may or may not be the issue. Currently working through a ticket but no resolutions yet.

Whenever I built a new ES Cluster 6.3.2 with Kibana enabled, I get "Reticulating Splines.." on the screen in Kibana. This appears in "Management" and "Index Patterns". It just sits there and spins and you can never create an index pattern.

Normal operations in Dev Console are fine. Anyone else seeing this?

Did you get any resolution on this? I had a quick scan through our internal support issues and couldn't find any mention of "reticulating splines" (which google suggests is a "joke" error, just meaning the server is doing something)

I've never seen this before fwiw, does the HTTP traffic (ie seen via the network console) give any clues? My guess is that it's waiting for some response from the server which never comes back, but knowing what the request is would help narrow it down

Good call. I do see errors in chrome\developertools\console. (replacing our private dns name space for confidentiality.)

INFO: 2018-08-07T15:16:42Z
Adding connection to

:9243/bundles/kibana.bundle.js:7 setting active api to [es_5_0]
:9243/elasticsearch//_search:1 Failed to load resource: the server responded with a status of 403 ()
:9243/bundles/vendors.bundle.js:3 Promise: Detected an unhandled Promise rejection.
Authorization Exception :: {"path":"/
/_search","query":{},"body":"{"size":0,"aggs":{"indices":{"terms":{"field":"_index","size":200}}}}","statusCode":403,"response":"\r\n403 Forbidden\r\n<body bgcolor="white">\r\n

403 Forbidden

:9243/bundles/vendors.bundle.js:159 Uncaught (in promise) StatusCodeErrorbody: "
↵403 Forbidden

403 Forbidden

↵"displayName: "AuthorizationException"message: "Authorization Exception"path: "/*/_search"query: {}response: "
↵403 Forbidden

403 Forbidden

↵"status: 403statusCode: 403toJSON: ƒ ()toString: ƒ ()stack: "Error: Authorization Exception↵ at respond (↵ at checkRespForFailure (↵ at↵ at processQueue (↵ at↵ at Scope.$digest (↵ at Scope.$apply (↵ at done (↵ at completeRequest (↵ at XMLHttpRequest.xhr.onload ("proto: ErrorAbstract

Interesting, 403 Forbidden means that the authenticated user does not have authorization to call _search

Are you logging in as elastic or a different user?

logged in as the elastic user.

And if you do something like

curl -k -u elastic:YOUR_PASSWORD -H 'Content-type: application/json' -d '{"size":0,"aggs":{"indices":{"terms":{"field":"_index","size":200}}}}', which I think is the exact query that Kibana is failing on, what does it return?

Also probably worth checking out the Kibana logs (eg search for the Kibana cluster id in the logging and monitoring cluster), or they are on disk in /mnt/data/elastic/RUNNER_ID/services/allocator/container/kibana/KIBANA_ID/logs, in case there are some errors before that which give a clue as to why elastic is failing in this way

curl -u 'elastic:blah' -H 'Content-type: application/json' -d {"size":0,"aggs":{"indices":{"terms":{"field":"_index","size":200}}}}
{"error":{"root_cause":[{"type":"json_parse_exception","reason":"Unrecognized token 'size': was expecting ('true', 'false' or 'null')\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@722053b8; line: 1, column: 6]"}],"type":"json_parse_exception","reason":"Unrecognized token 'size': was expecting ('true', 'false' or 'null')\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@722053b8; line: 1, column: 6]"},"status":500}curl: (3) [globbing] nested brace in column 15
curl: (3) [globbing] nested brace in column 15

did you miss `` (single quotes) around the JSON object following -d?

○ curl -u 'elastic:blah' -H 'Content-type: application/json' -d '{"size":0,"aggs":{"indices":{"terms":{"field":"_index","size":200}}}}'

this works.

That's really strange ... actually if you look in the proxy logs in the logging and monitoring cluster you should see the 403ing request and be able to tell what the URL was and (I think!) what the calling user was

Hmm. Well I just found out something interesting. In my ECE PREPROD environment, this happens on "any" flavor of 6.3 cluster. Any version, 6.3.1 6.3.2. In my "PROD" ECE environment, this does not happen. So that tells me there's something up with a configuration somewhere. Okay so now where do I look. aws elb config, security groups, where...

Can you give more details on what your ECE PREPROD looks like? I can't immediately see what AWS setting could cause this. I think the thing to do is check the following logs:

  • The kibana logs in case there is a startup error that is causing a "fake" 403 error subsequently
  • The proxy logs to see what endpoint/user exactly is generating a 403

(feel free to (re?) raise this as a ticket incidentally, and I'll update this thread with the TLDR once we figure out what's going on)

Problem Found. After searching the proxy logs for "403"s and not finding them, I turned my focus to the aws elb. That was the issue. There was an AWS Waf rule tied to the elb that was generating the 403's. I highly recommend using a tool called "Insomnia" as I was able to see a header presenting the 403's which clearly showed me the aws load balancer was causing the issue.

1 Like

@kcurtis - glad you got it working and thanks for sharing the resolution - really appreciate it


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.