Rollup job failed to find field

Paul_Ainslie · August 13, 2018, 8:03pm

I tried to create a data rollup on data that was pulled in from Logstash but I was getting error: failed to find field [@timestamp] and [missing] is not provided.

This is the error in the /var/log/elasticsearch folder.

[2018-08-13T19:19:45,394][WARN ][o.e.x.r.j.RollupJobTask  ] Rollup job [ms4] failed with an exception: java.lang.RuntimeException: Shard failures encountered while running indexer for rollup job [ms4]: [shard [[Y7et4P77SK66xlfUYleBoQ][mediaserver_2017-10g-1h-rollup][0]], 
reason [RemoteTransportException[[mgr-elastic-002][5.9.154.55:9300][indices:data/read/search[phase/query]]]; nested: QueryShardException[failed to find field [@timestamp] and [missing] is not provided]; ], cause [[mediaserver_2017-10g-1h-rollup/aqNUCpQ8TTGxlFzGLLHxRA] QueryShardException[failed to find field [@timestamp] and [missing] is not provided]

I realized that I cannot use hyphens in the rollup_index! Once I replaced hyphens with underscores, it worked!

Here's the syntax with a rollup_index name that failed!

{
    "index_pattern": "mediaserver_2017_2017-10*",
    "rollup_index": "mediaserver_2017-10g-1h-rollup",
    "cron": "*/10 * * * * ?",
    "page_size" :10000,
    "groups" : {
      "date_histogram": {
        "field": "timestamp",
        "interval": "15m",
        "delay": "10m"
      },
      "terms": {
        "fields": ["account", "stream", "streamtype", "host", "http_host", "clientip_n_agent", "geoip.region_name", "geoip.country_name", "geoip.continent_code", "cache_status", "response", "verb"]
      },
      "histogram": {
        "fields": ["request_time"],
        "interval": 1
      }
    },
    "metrics": [
        {
            "field": "bytes",
            "metrics": ["sum"]
        },
        {
            "field": "request_time",
            "metrics": ["avg","min","max"]
        }
    ]
}

polyfractal · August 17, 2018, 12:43pm

Ah, I think you ran into the bug fixed by https://github.com/elastic/elasticsearch/pull/30491

The issue is that the index pattern (mediaserver_2017_2017-10*) matches the destination rollup index. So when the job is rolling up data, it accidentally searches the destination rollup index too, which has different field names, and so it throws an exception.

That bug is fixed in 6.4, we throw an exception when you try to create the job telling you that the pattern would match itself.

The reason it worked when you switched from hyphen to underscore is likely because the pattern no longer matched. Sorry for the bug, it's definitely irritating!

Paul_Ainslie · August 20, 2018, 12:34pm

Ah, that's better!

polyfractal · August 22, 2018, 11:32am

Great, glad that fixed it! Sorry for the inconvenience, the situation should be clearer in the future after that bugfix is released

system · September 19, 2018, 11:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rollup job unable to start Elasticsearch rollups	10	1163	December 8, 2020
Rollup fails with: ElasticsearchParseException: failed to parse date field [0] with format [date_time] Elasticsearch	3	720	September 19, 2018
Rollup feature can't create job - Index pattern must match indices that contain time fields Kibana	3	312	January 7, 2022
Rollup index Elasticsearch	2	1135	April 22, 2019
Request failed with a 400 error. [x_content_parse_exception] Failed to build [xpack/rollup/jobconfig] after last required field arrived Elasticsearch	2	2244	October 19, 2020

Rollup job failed to find field

Related topics