Replies: 1 comment
-
You do seem to be in a bit of a pickle. It sounds like you're running OpenSearch 2, which is equivalent to Elasticsearch 8, yet you're currently faking the OpenSearch version to be an older version 7. ElastAlert 2 is creating its indexes correctly, based on the detected version.
Unfortunately, I do not have capacity to try and make ElastAlert 2 run in all different version modes against a large number of different remote cluster vendors and versions. You would need to do this testing on your own time. |
Beta Was this translation helpful? Give feedback.
-
Hi there, We are trying to use elastalert2 (docker version) with Opensearch (where opensearch has its backward compatibility mode set to TRUE). This means that the cluster version details returned from Opensearch are elastic search 7.10.2.
However, when elastalert container runs for the first time, it tries to create the index and returns this error. it does indeed create the index, BUT this 400 error does not look good. (last line of the code/logs block below. This is an excerpt from the logs).
SO, looking at the code in https://github.com/jertel/elastalert2/blob/master/elastalert/create_index.py#L77, it does seem that, if elastalert2 detects the ES cluster is 7.x, (which in our case is 7.10.2), it will try to add the ?include_type_name=true, BUT the Opensearch cluster returns a 400, as it clearly does not like that query format.
(1) Is there a way around this please? If , for example, we set an es_version value to 8.2, would it get around this? But, then would it create further problems, because actually our Opensearch backward compatible mode cluster is at 7.10.2.
(2) We could of course change our Opensearch cluster to be NOT backward compatible, in which case it may successfully create this index without error. However, other apps/components we use demand that our Opensearch cluster must be set to backward compaitible, in other words we need it to be set to 7.10.2
(3) As the index is actually created, do we need to worry about this 400 error? Is it serious or is it innocuous , and can we continue?
(a) By the way, if we do ignore it and continue, then we get another error:
Something like : elasticsearch.exceptions.RequestError: RequestError(400, ‘search_phase_execution_exception’, ‘No mapping found for [alert_time] in order to sort on’)
Can you please put a fix in your code to deal with Openseach in backward compatible mode, OR suggest a solution if possible.
Many Thanks
Beta Was this translation helpful? Give feedback.
All reactions