[transform job] there are no field in source index but theare are in that source index

cucukaka · September 21, 2023, 2:13am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch 2.7.0

Describe the issue:
API

PUT _plugins/_transform/a-trandsform-job
{
  "transform": {
      "enabled": true,
      "continuous": true,
      "schedule": {
          "interval": {
              "start_time": 1692457200,
              "period": 1,
              "unit": "Minutes"
          }
      },
      "description": "a transform job",
      "source_index": "atenantid-a-log-*",
      "target_index": "a-trandsform-job",
      "data_selection_query": {
        "match_all": {}
      },
      "page_size": 1000,
      "groups": [
        {
            "date_histogram": {
                "calendar_interval": "1d",
                "source_field": "@timestamp",
                "target_field": "@timestamp _date_histogram_1_d_calendar",
                "timezone": "UTC"
            }
        },
        {
            "terms": {
                "source_field": "event.level",
                "target_field": "event.level_terms"
            }
        }
      ],
      "aggregations": {}
  }
}

result is error like this

{
  "error": {
    "root_cause": [
      {
        "type": "status_exception",
        "reason": "Cannot find field [event.level] that can be grouped as [terms] in [atenantid-a-log-network-2023.08.16-000003]"}
    ],
    "type": "status_exception",
    "reason": "Cannot find field [event.level] that can be grouped as [terms] in [atenantid-a-log-network-2023.08.16-000003]"},
  "status": 400
}

BUT there is [event.level] field in that index!!!
There’s not even one document that doesn’t have that field in that index…
How to solve this problems?

gaobinlong · September 21, 2023, 5:15am

Can you show the mappings of field event.level? is it text type? If so please use event.level.keyword or other fields which are not text type instead. That’s because terms aggregation cannot perform on text field.

cucukaka · September 21, 2023, 5:38am

To @gaobinlong
no, event.level’s type definitely keyword

cucukaka · September 21, 2023, 5:45am

oh sorry, I got mapping table of index that in error message, there is text type of field event.level…!! thank you!! now I should go to reindex now…

Topic		Replies	Views
Unable to run my transform job after updating to OpenSearch 2.11 Index Management troubleshoot	3	136	April 9, 2024
Transform API plugins - Groupings OpenSearch Dashboards	2	221	January 5, 2023
Does transform job support multiple index in source_index fields while creating transform job? OpenSearch	5	225	March 31, 2023
Enable to parse OpenSearch troubleshoot	4	801	May 18, 2023
Can't see any field in Discover page: just the "_source" one OpenDistro troubleshoot	6	2857	January 13, 2022

[transform job] there are no field in source index but theare are in that source index

Related Topics