Shards fail in high amount on certain Index

Moritz_Kiesewetter · January 7, 2020, 10:55am

Hi guys,

when i take a look at one of my dashboards, which uses the Auditbeat-Index as an Input, i get an "20/24 Shards failed" Error like 20 Times on the side of my screen. It's stated as an illegal_arguement_expression with the following Message:

Type
illegal_argument_exception
Reason
Fielddata is disabled on text fields by default. Set fielddata=true on [user.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.

So i don't really know what exactly i'm supposed to do here, and where to do it. Any hellp will be appreciated.

Cheers,
Mo

tsullivan · January 8, 2020, 4:29pm

Hi, it looks like your Auditbeat index has data where user.name is mapped as a text field. I am guessing it should be mapped as a keyword (as the error messages says) so that you can make aggregate searches on that field.

It could mean there is a mapping conflict in Elasticsearch, or the mapping template for the Auditbeat index was accidentally deleted. You'll need to restore the mappings so that new Auditbeat indices have the data mapped correctly, but also reindex the existing data so the user.name fields are re-mapped as keyword.

Moritz_Kiesewetter · January 10, 2020, 6:42am

Ok, thanks tsullivan, will try today.
Thanks in advance.

Topic		Replies	Views
Auditbeat shards failing Beats auditbeat	3	636	August 30, 2019
Shards Failed Beats metricbeat	2	1259	February 13, 2019
1 of 21 shards failed Elasticsearch	5	961	April 29, 2022
1 of 24 shards failed Elasticsearch	3	547	May 6, 2022
9 out of 42 shards failed Elasticsearch	7	5045	December 18, 2018

Shards fail in high amount on certain Index

Related topics