Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

No mapping found for [@timestamp] in order to sort on]

See original GitHub issue

I see that this person had the same issue (https://github.com/Yelp/elastalert/issues/122), but, unlike them, I am ingesting logs from logstash and my @timestamp is in the ISO8601 format. An example @timestamp in Elasticsearch that I have being 2015-08-13T23:29:56.000Z.

My error looks like this:


root@ip-10-0-20-114:/usr/local/elastalert# python elastalert/elastalert.py
ERROR:root:Error querying for last run: TransportError(400, u'SearchPhaseExecutionException[Failed to execute phase [query], all shards failed; 
shardFailures {[8a3NL65NQiKa9wsxgwklyA][elastalert_status][0]: SearchParseException[[elastalert_status][0]: from[-1],size[-1]: 
Parse Failure [Failed to parse source [{"filter": {"term": {"rule_name": "whiteListedIPs"}}, "sort": {"@timestamp": {"order": "desc"}}}]]]; 
nested: SearchParseException[[elastalert_status][0]: from[-1],size[-1]: 
Parse Failure [No mapping found for [@timestamp] in order to sort on]]; }{[8a3NL65NQiKa9wsxgwklyA][elastalert_status][1]:
 SearchParseException[[elastalert_status][1]: from[-1],size[-1]:

I’ve pretty much followed the documentation for getting started so I don’t quite know how much more simple my test case could be. I did use a different folder for rules and created my own test case that basically just mimics the example_frequency.yaml.

Any ideas of how I should proceed?

Issue Analytics

State:
Created 8 years ago
Comments:25 (10 by maintainers)

Top GitHub Comments

7reactions

carlosvegacommented, May 9, 2016

When running elastsalert I get the following error:

WARNING:elasticsearch:GET http://localhost:9200/elastalert_status/elastalert/_search?size=1000 [status:404 request:0.045s] WARNING:elasticsearch:GET http://localhost:9200/elastalert_status/silence/_search?_source_include=until%2Cexponent&size=1 [status:404 request:0.002s] ERROR:root:Error while querying for alert silence status: TransportError(404, {u’index’: u’elastalert_status’, u’resource.type’: u’index_or_alias’, u’root_cause’: [{u’index’: u’elastalert_status’, u’reason’: u’no such index’, u’type’: u’index_not_found_exception’, u’resource.id’: u’elastalert_status’, u’resource.type’: u’index_or_alias’}], u’reason’: u’no such index’, u’type’: u’index_not_found_exception’, u’resource.id’: u’elastalert_status’})

And this is the mapping after it execution.

curl -XGET ‘http://localhost:9200/elastalert_status/_mapping/’
{“elastalert_status”:{“mappings”:{“elastalert_error”:{“properties”:{“@timestamp”:{“type”:“date”,“format”:“strict_date_optional_time||epoch_millis”},“data”:{“properties”:{“rule”:{“type”:“string”}}},“message”:{“type”:“string”},“traceback”:{“type”:“string”}}},“elastalert”:{“properties”:{“@timestamp”:{“type”:“date”,“format”:“strict_date_optional_time||epoch_millis”},“alert_info”:{“properties”:{“output_file”:{“type”:“string”},“type”:{“type”:“string”}}},“alert_sent”:{“type”:“boolean”},“alert_time”:{“type”:“date”,“format”:“strict_date_optional_time||epoch_millis”},“match_body”:{“properties”:{“_id”:{“type”:“string”},“_index”:{“type”:“string”},“_type”:{“type”:“string”},“fecha”:{“type”:“date”,“format”:“strict_date_optional_time||epoch_millis”},“peticiones_pendientes_respuesta_tras_intervalo”:{“type”:“long”},“servicio”:{“type”:“string”}}},“rule_name”:{“type”:“string”}}},“elastalert_status”:{“properties”:{“@timestamp”:{“type”:“date”,“format”:“strict_date_optional_time||epoch_millis”},“endtime”:{“type”:“date”,“format”:“strict_date_optional_time||epoch_millis”},“hits”:{“type”:“long”},“matches”:{“type”:“long”},“rule_name”:{“type”:“string”},“starttime”:{“type”:“date”,“format”:“strict_date_optional_time||epoch_millis”},“time_taken”:{“type”:“double”}}}}}}%

4reactions

allantaylor81commented, Jun 9, 2017

Had this same issue with ElasticSearch 2.4.4, simply deleted the old mapping with curl -XDELETE ‘localhost:9200/elastalert_status’ and ran elastalert-create-index again to fix it

ERROR:root:Error finding recent pending alerts: TransportError(400, u’search_phase_execution_exception’, u’No mapping found for [alert_time] in order to sort on’)