I'm working on a team that has set up an Elastic cluster (6.3.2) and we've ingested a group of files containing old Bro data. We've previously tested Watcher with this data by using the following metadata block to simulate watches on the old data.
"metadata": {
"min_error_threshold": 100,
"time_interval" : "5m",
"num_time_intervals" : 12,
"time_period" : "1h",
"time_zone" : "-10:00",
"time_interval_start": "now-6y-7M-27d-20h-35m",
"time_period_start": "now-6y-7M-27d-21h-30m",
"time_period_end": "now-6y-7M-27d-20h-30m"
}
Recently, we added a second Kibana instance to the cluster (both are in Docker, same version). When we run the watch in the Kibana Dev Tools Console for the second Kibana instance, we receive the following response (same issue for time_interval_start, time_period_start, time_period_end):
{
"error": {
"root_cause": [
{
"type": "mapper_parsing_exception",
"reason": "failed to parse [metadata.time_interval_start]"
}
],
"type": "mapper_parsing_exception",
"reason": "failed to parse [metadata.time_interval_start]",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "Invalid format: "now-6y-7M-27d-20h-35m""
}
},
"status": 400
}
This query still works fine in our original Kibana instance. Looking at the Kibana logs for the second instance, I see the following error which looks related:
Deprecation warning: value provided is not in a recognized RFC2822 or ISO format. moment construction falls back to js Date(), which is not reliable across all browsers and versions. Non RFC2822/ISO date formats are discouraged and will be removed in an upcoming major release. Please refer to http://momentjs.com/guides/#/warnings/js-date/ for more info.
Arguments:
[0] _isAMomentObject: true, _isUTC: false, _useUTC: false, _l: undefined, _i: Sat Mar 17 2012 12:00:00 GMT-1000, _f: undefined, _strict: undefined, _locale: [object Object]
Error
at Function.createFromInputFallback (/usr/share/kibana/node_modules/moment/moment.js:324:94)
at configFromString (/usr/share/kibana/node_modules/moment/moment.js:2366:11)
at configFromInput (/usr/share/kibana/node_modules/moment/moment.js:2592:9)
at prepareConfig (/usr/share/kibana/node_modules/moment/moment.js:2575:9)
at createFromConfig (/usr/share/kibana/node_modules/moment/moment.js:2542:40)
at createLocalOrUTC (/usr/share/kibana/node_modules/moment/moment.js:2629:12)
at createLocal (/usr/share/kibana/node_modules/moment/moment.js:2633:12)
at hooks (/usr/share/kibana/node_modules/moment/moment.js:16:25)
at parse (/usr/share/kibana/src/core_plugins/timelion/server/lib/date_math.js:50:33)
at validateTime (/usr/share/kibana/src/core_plugins/timelion/server/handlers/lib/validate_time.js:19:40)
at Object.processRequest (/usr/share/kibana/src/core_plugins/timelion/server/handlers/chain_runner.js:193:33)
at handler (/usr/share/kibana/src/core_plugins/timelion/server/routes/run.js:22:64)
at
Has anybody run into the same issue? Or does anyone know of any updates that may have caused time values like those in our metadata block to no longer parse correctly?