Troubleshooting while activating live log analysis

OpenSearch
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): latest image ( working with docker)

Describe the issue:

when i try to run live analysis on logs ( with a detector) i get this error -

image
image940×127 9.49 KB

here is an example of how my logs are saved in the index -

{
“level” => “INFO”,
“@timestamp” => 2025-11-03T15:59:59.000Z,
“message” => “Connection to postgres is alive\\r”,
“app_name” => “app1”
}

this is how i configured the detector -

{
    "name": f"error_count_for\_{data_stream}",
    "description": f"Anomaly detector for error logs in {data_stream}",
    "time_field": "@timestamp",
    "indices": \[f"{data_stream}-\*"\],
    "feature_attributes": \[{
        "feature_name": "errors_count",
        "feature_enabled": True,
        "aggregation_query": {
            "errors_count": {
                "filter": {
                    "term": {
                        "level": {
                            "value": "ERROR",
                            "boost": 1
                        }
                    }
                },
                "aggregations": {
                    "errors_count": {
                        "value_count": {
                            "field": "level"
                        }
                    }
                }
            }
        }
    }\],
    "detection_interval": {
        "period": {
            "interval": 1,
            "unit": "Minutes"
        }
    },
    "window_delay": {
        "period": {
            "interval": 10,
            "unit": "Minutes"
        }
    },
    "history": 40
}

so i dont understand what is being ingested the wrong way.

thanks in advance for all the helpers.

Configuration:

Relevant Logs or Screenshots:

2

@Itay1234 Did you try running this query on its own. Do you get results?
Could you share your index mappings?

3

yes , the detector is being created successfully and if i use the historical analysis it works.
this is my index mapping -

image
image326×551 19.3 KB

the problem is only when I use live detection, everything else works fine.
also the ingestion works fine when I don’t use the live detection meaning the mapping is ok.

maybe i need to add more delay ( currently 10 mins ) ? because I couldn’t see the data yesterday ( also the index was shown in the index table , and now ( a day later ) I can see it. could it be related?