preface
Note: ElasticSearch version is 5.4.
Some system indexes are required in our log system. These system indexes will be added to ElasticSearch during application initialization. When there is no index data, these system indexes in ElasticSearch only have index name and some configuration information, but no mapping information. When the user sorts the search log information according to the time interval, ElasticSearch will generate an all shares failed exception. The specific exception information is as follows:
Caused by: [.alert/NXa3zq5WSb-wGBKgyZibzw] QueryShardException[No mapping found for [timestamp] in order to sort on] at org.ElasticSearch.search.sort.FieldSortBuilder.build(FieldSortBuilder.java:262) at org.ElasticSearch.search.sort.SortBuilder.buildSort(SortBuilder.java:156) at org.ElasticSearch.search.SearchService.parseSource(SearchService.java:617) at org.ElasticSearch.search.SearchService.createContext(SearchService.java:468) at org.ElasticSearch.search.SearchService.createAndPutContext(SearchService.java:444) at org.ElasticSearch.search.SearchService.executeQueryPhase(SearchService.java:252) at org.ElasticSearch.action.search.SearchTransportService$6.messageReceived(SearchTransportService.java:331) at org.ElasticSearch.action.search.SearchTransportService$6.messageReceived(SearchTransportService.java:328) at org.ElasticSearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) at org.ElasticSearch.transport.TransportService$7.doRun(TransportService.java:627) at org.ElasticSearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:638) at org.ElasticSearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ... 3 more
Check it out Based on the index data of alert and the abnormal information of ElasticSearch, I suspect it is due to There is no timestamp mapping information in the alert system index When there is no data in alert index initialization, the information in ElasticSearch is as follows:
http://dev:9200/.alert
{ ".alert": { "aliases": { "alert": {} }, "mappings": { "alert": {} }, "settings": { "index": { "refresh_interval": "-1", "number_of_shards": "5", "provided_name": ".alert", "creation_date": "1533613744728", "store": { "type": "fs" }, "number_of_replicas": "1", "uuid": "YuPjsObOTMO6u3fEdG6hVw", "version": { "created": "5040099" } } } } }
After seeing this information, I began to try to solve it in the following ways.
resolvent
The following methods 1 and 2 fail, and only method 3 can successfully solve the problem. However, in solving the problem, I searched a lot of materials, which made me have a deeper understanding of ElasticSearch mapping, so I recorded the process of solving the problem.
Method 1: add index template
First, because there is no mapping information such as timestamp, I want to create an index template alert the mapping information of the index is set with a template so that there is corresponding mapping information when the index is created. The template information is as follows:
{ "alert": { "order": 0, "template": "alert", "settings": { "index": { "number_of_shards": "5", "number_of_replicas": "1", "refresh_interval": "2s" } }, "mappings": { "alert": { "properties": { "timestamp": { "type": "date" } } } }, "aliases": {} } }
However, after testing, it is found that the problem of all shards failed will still occur. The reasons are as follows:
The index template will only take effect when new index data is inserted. If there is no index data, the mappings information defined by the index template will not take effect, and changes to the template will not affect the existing indexes.
At this point alert the index is empty and no new data has been inserted. Therefore, the template will not take effect, so this method will not solve the problem of all shares failed.
Method 2: add mapping when creating an index
ElasticSearch allows you to create mapping information when creating an index, so I came up with this method. After testing, it can solve the problem of all shards failed. However, there is a serious consequence that we use Alert index to record server alarm information when I go to When adding data to the alert index, only the data in the timestamp field is added. Other data such as the host generating the alarm and the alarm content fail to be added.
Query official documents and find:
Once the mapping information is created, it cannot be modified. Changing the existing mapping means invalidating the existing index data. The solution is to use the correct mapping information to create a new index, and then add the data to the new index again. Although the official provides a reindex method to solve this problem, in the case of large amount of data, the reindex cost is relatively high. Therefore, adding mapping when creating an index does not work.
Method 3: add unmapped to the sorting condition_ type
ElasticSearch's search api can set which mappings of fields are ignored when sorting. By default, search requests fail if there is no mapping associated with the sort field. unmapped_ The type option allows the setting to ignore a field that is not mapped, so that the field is not sorted. Since the mapping of timestamp is of date type, add {"timestamp": {"unmapped_type": "date"}} to the search sorting criteria to successfully solve the problem of all shares failed due to no date mapping in the sorting field.