Hello guys, I have created an HTTP data source pipeline and GROK processed the Linux Syslogs. Now, I have the logs in JSON and want to run detection rules on my Index which has processed logs.
When creating the detector, I choose my data source, log type, and alert trigger, and schedule it. In my OpenSearch service logs, I see the following error:
IllegalStateException[Failed to run percolate search for sourceIndex [sys_logs] and queryIndex [.opensearch-sap-linux-detectors-queries-000001] for 128 document(s)]; nested: SearchPhaseExecutionException[all shards failed]; nested: OpenSearchException[Query contains too many nested clauses; maxClauseCount is set to 1024];
Upon looking I was not able to get much help on the internet. I think my detector runs and most probably finds the anomaly also but when I explore Alerts I see the alert with the above error and no Findings are also there. Any help would be appreciated. Thanks
In alert panale i’m Getting Status Error and Deleted when i call following api
GET /_plugins/_security_analytics/alerts?detectorType=linux
i get following error log in console
IllegalStateException[Failed to run percolate search for sourceIndex [cytex_logs] and queryIndex [.opensearch-sap-linux-detectors-queries-000001] for 134 document(s)]; nested: SearchPhaseExecutionException[all shards failed]; nested: OpenSearchException[Query contains too many nested clauses; maxClauseCount is set to 1024];