Shard failure. Fielddata disabled on text fields by default

medelastic · June 18, 2017, 11:24pm

I am new to elastic stack. Aim is to visualize access logs data in kibana. I have taken a sample apache log from elastic stack documentation and used the following logstash configuration file:

input {

file {

path => "/tmp/access_log"

start_position => "beginning"

}

filter {

if [path] =~ "access" {

mutate { replace => { "type" => "apache_access" } }

grok {

  match => { "message" => "%{COMBINEDAPACHELOG}" }

}

}

date {

match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]

}

output {

elasticsearch { hosts => ["localhost:9200"]

user => username

password => password

index => "apache-access.log"

}

stdout { codec => rubydebug }

}

The script is working fine except for the part that some problem is with "timestamp" field.

Index: apache-access.log Shard: 0 Reason: {"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [timestamp] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."}

Plz help ASAP. Thank you

warkolm · June 19, 2017, 12:16am

Where does it say that exactly.

medelastic · June 19, 2017, 1:18am

In kibana "Discover" tab. When I search for the index I have saved this.

medelastic · June 19, 2017, 11:31am

@warkolm: On expanding a particular index in the discover tab. If I open any document of it then for "tag" it is showing _grokparsefailure ... However index is being created.

system · July 17, 2017, 11:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.