Anand Subramanian created METRON-2167:
-----------------------------------------
Summary: Unable to filter with alert_status:NEW
Key: METRON-2167
URL: https://issues.apache.org/jira/browse/METRON-2167
Project: Metron
Issue Type: Bug
Reporter: Anand Subramanian
The following query does not return any results when run through
/api/v1/search/search:
{code:java}
{ "indices": [], "facetFields": [], "query": "(alert_status:NEW OR
metron_alert.alert_status:NEW)", "from": 0, "size": 25 }{code}
However when I change the query to look for any of 'OPEN' or 'ESCALATE' or
'RESOLVE', it returns results.
It is also observed that sorting on the 'Alert Status' field is broken. Here's
an example:
{code:java}
{ "indices": [], "facetFields": [], "query": "*", "from": 0, "size": 25,
"sort": [ { "field": "alert_status", "sortOrder": "asc" } ] }{code}
{{}}yields the following error...
{code:java}
{ "responseCode": 500, "message": "Failed to execute search;
error='IllegalArgumentException: Fielddata is disabled on text fields by
default. Set fielddata=true on [__anonymous_text] in order to load fielddata in
memory by uninverting the inverted index. Note that this can however use
significant memory. Alternatively use a keyword field instead.',
search='{\"from\":0,\"size\":25,\"query\":{\"constant_score\":{\"filter\":{\"bool\":{\"must\":[{\"bool\":{\"should\":[{\"query_string\":{\"query\":\"*\",\"fields\":[],\"use_dis_max\":true,\"tie_breaker\":0.0,\"default_operator\":\"or\",\"auto_generate_phrase_queries\":false,\"max_determinized_states\":10000,\"enable_position_increments\":true,\"fuzziness\":\"AUTO\",\"fuzzy_prefix_length\":0,\"fuzzy_max_expansions\":50,\"phrase_slop\":0,\"escape\":false,\"split_on_whitespace\":true,\"boost\":1.0}},{\"nested\":{\"query\":{\"query_string\":{\"query\":\"*\",\"fields\":[],\"use_dis_max\":true,\"tie_breaker\":0.0,\"default_operator\":\"or\",\"auto_generate_phrase_queries\":false,\"max_determinized_states\":10000,\"enable_position_increments\":true,\"fuzziness\":\"AUTO\",\"fuzzy_prefix_length\":0,\"fuzzy_max_expansions\":50,\"phrase_slop\":0,\"escape\":false,\"split_on_whitespace\":true,\"boost\":1.0}},\"path\":\"metron_alert\",\"ignore_unmapped\":false,\"score_mode\":\"none\",\"boost\":1.0}}],\"disable_coord\":false,\"adjust_pure_negative\":true,\"boost\":1.0}},{\"bool\":{\"should\":[{\"term\":{\"status\":{\"value\":\"active\",\"boost\":1.0}}},{\"bool\":{\"must_not\":[{\"exists\":{\"field\":\"status\",\"boost\":1.0}}],\"disable_coord\":false,\"adjust_pure_negative\":true,\"boost\":1.0}}],\"disable_coord\":false,\"adjust_pure_negative\":true,\"boost\":1.0}}],\"must_not\":[{\"exists\":{\"field\":\"metaalerts\",\"boost\":1.0}}],\"disable_coord\":false,\"adjust_pure_negative\":true,\"boost\":1.0}},\"boost\":1.0}},\"_source\":{\"includes\":[],\"excludes\":[]},\"sort\":[{\"alert_status\":{\"order\":\"asc\",\"missing\":\"_first\",\"unmapped_type\":\"text\"}}],\"track_scores\":true,\"aggregations\":{\"source:type_count\":{\"terms\":{\"field\":\"source:type\",\"size\":10,\"min_doc_count\":1,\"shard_min_doc_count\":0,\"show_term_doc_count_error\":false,\"order\":[{\"_count\":\"desc\"},{\"_term\":\"asc\"}]}},\"ip_src_addr_count\":{\"terms\":{\"field\":\"ip_src_addr\",\"size\":10,\"min_doc_count\":1,\"shard_min_doc_count\":0,\"show_term_doc_count_error\":false,\"order\":[{\"_count\":\"desc\"},{\"_term\":\"asc\"}]}},\"ip_dst_addr_count\":{\"terms\":{\"field\":\"ip_dst_addr\",\"size\":10,\"min_doc_count\":1,\"shard_min_doc_count\":0,\"show_term_doc_count_error\":false,\"order\":[{\"_count\":\"desc\"},{\"_term\":\"asc\"}]}},\"enrichments:geo:ip_dst_addr:country_count\":{\"terms\":{\"field\":\"enrichments:geo:ip_dst_addr:country\",\"size\":10,\"min_doc_count\":1,\"shard_min_doc_count\":0,\"show_term_doc_count_error\":false,\"order\":[{\"_count\":\"desc\"},{\"_term\":\"asc\"}]}}}}'",
"fullMessage": "IllegalArgumentException: Fielddata is disabled on text fields
by default. Set fielddata=true on [__anonymous_text] in order to load fielddata
in memory by uninverting the inverted index. Note that this can however use
significant memory. Alternatively use a keyword field instead." }
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
