sentinl: MapperParsingException[Field name [...] cannot contain '.'

I am trying to get notifications for “topbeat” metrics. As an example, when percent of disk space used is above threshold.

In short, on watcher save I get the error: MapperParsingException[Field name [fs.used_p] cannot contain '.']

Here’s the details:

The query working in Sense:

GET _search
{
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "type: filesystem",
          "analyze_wildcard": true
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gte": "now-10m",
                  "lte": "now"
                }
              }
            },
            {
              "range": {
                "fs.used_p": {
                  "gte": 0.1
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  },
  "size": 1,
  "aggs": {
    "device_name": {
      "terms": {
        "field": "fs.mount_point",
        "size": 100
      },
      "aggs": {
        "used_p": {
          "avg": {
            "field": "fs.used_p"
          }
        }
      }
    }
  }
}

And here is result from ES:

{
  "took": 84,
  "timed_out": false,
  "_shards": {
    "total": 368,
    "successful": 368,
    "failed": 0
  },
  "hits": {
    "total": 2,
    "max_score": 3.1690538,
    "hits": [
      {
        "_index": "topbeat-2016.10.12",
        "_type": "filesystem",
        "_id": "AVe4XqQQLJiUKvRzXlL2",
        "_score": 3.1690538,
        "_source": {
          "type": "filesystem",
          "fs": {
            "device_name": "/dev/vda1",
            "total": 31570522112,
            "used": 4357283840,
            "used_p": 0.14,
            "free": 27213238272,
            "avail": 25585963008,
            "files": 1966080,
            "free_files": 1820159,
            "mount_point": "/"
          },
          "count": 1,
          "beat": {
            "hostname": "h2",
            "name": "h2"
          },
          "@timestamp": "2016-10-12T10:09:50.457Z",
          "@version": "1",
          "host": "h2",
          "tags": [
            "beats_input_raw_event"
          ]
        }
      }
    ]
  },
  "aggregations": {
    "device_name": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [
        {
          "key": "/",
          "doc_count": 2,
          "used_p": {
            "value": 0.14000000059604645
          }
        }
      ]
    }
  }
}

Now I am trying to save this watcher in KAAE:

{
  "_index": "watcher",
  "_type": "watch",
  "_id": "test",
  "_score": 1,
  "_source": {
    "trigger": {
      "schedule": {
        "later": "every 10 seconds"
      }
    },
    "input": {
      "search": {
        "request": {
          "index": [
            "<topbeat-{now/d}>"
          ],
          "body": {
            "query": {
              "filtered": {
                "query": {
                  "query_string": {
                    "query": "type: filesystem",
                    "analyze_wildcard": true
                  }
                },
                "filter": {
                  "bool": {
                    "must": [
                      {
                        "range": {
                          "@timestamp": {
                            "gte": "now-10m",
                            "lte": "now"
                          }
                        }
                      },
                      {
                        "range": {
                          "fs.used_p": {
                            "gte": 0.1
                          }
                        }
                      }
                    ],
                    "must_not": []
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "script": {
        "script": "payload.hits.total > 0"
      }
    },
    "transform": {},
    "actions": {
      "email_admin": {
        "email": {
          "to": "...@gmail.com",
          "from": "kaae@localhost",
          "subject": "KaaE Alarm",
          "priority": "high",
          "body": "Found Events"
        }
      }
    }
  }
}

And getting the error:

Oct 12 06:04:43  elasticsearch[3462]: [2016-10-12 06:04:43,179][DEBUG][action.admin.indices.mapping.put] [] failed to put mappings on indices [[watcher]], type [watch]
Oct 12 06:04:43  elasticsearch[3462]: MapperParsingException[Field name [fs.used_p] cannot contain '.']

But this query works in Sense, and I am stuck with it. Could you please tell me what I am doing wrong and how to achieve my goal?

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 21

Most upvoted comments

Thanks @lmangani, you’re an awesome maintainer