Runtime field just stopped returning a value sometime around 4 AM this morning

kossde · December 30, 2021, 6:43pm

I created the following runtime field a couple of days ago and it was working fine. This morning, however it just stopped. The field is blank for all log entries that came in after around 4 AM this morning. Any idea why this might happen?

PUT CPODNS/_mapping
{

    "runtime":{
      "base_url":{
      "type":"keyword",
      "script": {
        "lang": "painless",
        "source": """
        if(doc['app.name'].value== "checkpoint" && doc['url.domain'].size() > 0){
          emit(doc['url.domain'].value)
        } else  if(doc['app.name'].value== "opendns" && doc['dns.question.name'].size() > 0){
          emit(doc['dns.question.name'].value)
        } 
        """
        }
      }
    }
  }

Christian_Dahlqvist · December 30, 2021, 6:53pm

Can you show an example of a document that has been indexed recently for which this does not work? Has something in the structure changed?

kossde · December 30, 2021, 7:01pm

Ok so from what I can tell, the indices rolled over this morning and I don't believe the mapping is applying to new indices as they are being created. I just added the mapping to the index template but the existing indices still don't have the runtime field. Do you know if mapping changes to an index template apply to existing indices or do they only apply to future indices?

kossde · December 30, 2021, 7:03pm

Ok I just found the answer to that last question as well, "Changes to index templates do not affect existing indices, including the existing backing indices of a data stream." So I will manually add this mapping back to the existing indices and, fingers crossed, the template will apply it to future indices.

system · January 27, 2022, 7:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.