Support Questions
Find answers, ask questions, and share your expertise

Cloudera Cybersecurity 2.0.1 and Elasticsearch 7.4

Cloudera Cybersecurity 2.0.1 and Elasticsearch 7.4

New Contributor

Hello everyone, I'm using Cloudera Cybersecurity 2.0.1 with Elasticsearch 7.4 in my dev environment and almost everything is working fine, but when I try to search for something in Apache Metron it shows the error below in the log.

 

 

2020-06-10 12:16:56.520 ERROR 1418 --- [nio-8082-exec-6] o.a.m.r.c.RestExceptionHandler : Encountered error: Failed to execute search; error='ElasticsearchStatusException: Elasticsearch exception [type=parsing_exception, reason=[query_string] query does not support [use_dis_max]]', search='{"from":0,"size":25,"query":{"constant_score":{"filter":{"bool":{"must":[{"bool":{"should":[{"query_string":{"query":"(timestamp:[1591801293000 TO 1591802193000] OR metron_alert.timestamp:[1591801293000 TO 1591802193000]) AND (hostname:10.0.0.1 OR metron_alert.hostname:10.0.0.1)","fields":[],"use_dis_max":true,"tie_breaker":0.0,"default_operator":"or","auto_generate_phrase_queries":false,"max_determinized_states":10000,"enable_position_increments":true,"fuzziness":"AUTO","fuzzy_prefix_length":0,"fuzzy_max_expansions":50,"phrase_slop":0,"escape":false,"split_on_whitespace":true,"boost":1.0}},{"nested":{"query":{"query_string":{"query":"(timestamp:[1591801293000 TO 1591802193000] OR metron_alert.timestamp:[1591801293000 TO 1591802193000]) AND (hostname:10.0.0.1 OR metron_alert.hostname:10.0.0.1)","fields":[],"use_dis_max":true,"tie_breaker":0.0,"default_operator":"or","auto_generate_phrase_queries":false,"max_determinized_states":10000,"enable_position_increments":true,"fuzziness":"AUTO","fuzzy_prefix_length":0,"fuzzy_max_expansions":50,"phrase_slop":0,"escape":false,"split_on_whitespace":true,"boost":1.0}},"path":"metron_alert","ignore_unmapped":false,"score_mode":"none","boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}},{"bool":{"should":[{"term":{"status":{"value":"active","boost":1.0}}},{"bool":{"must_not":[{"exists":{"field":"status","boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}}],"must_not":[{"exists":{"field":"metaalerts","boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}},"boost":1.0}},"_source":{"includes":[],"excludes":[]},"sort":[{"timestamp":{"order":"desc","missing":"_last","unmapped_type":"other"}}],"track_scores":true,"aggregations":{"source:type_count":{"terms":{"field":"source:type","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}},"ip_src_addr_count":{"terms":{"field":"ip_src_addr","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}},"ip_dst_addr_count":{"terms":{"field":"ip_dst_addr","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}},"enrichments:geo:ip_dst_addr:country_count":{"terms":{"field":"enrichments:geo:ip_dst_addr:country","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}}}}'

org.apache.metron.rest.RestException: Failed to execute search; error='ElasticsearchStatusException: Elasticsearch exception [type=parsing_exception, reason=[query_string] query does not support [use_dis_max]]', search='{"from":0,"size":25,"query":{"constant_score":{"filter":{"bool":{"must":[{"bool":{"should":[{"query_string":{"query":"(timestamp:[1591801293000 TO 1591802193000] OR metron_alert.timestamp:[1591801293000 TO 1591802193000]) AND (hostname:10.0.0.1 OR metron_alert.hostname:10.0.0.1)","fields":[],"use_dis_max":true,"tie_breaker":0.0,"default_operator":"or","auto_generate_phrase_queries":false,"max_determinized_states":10000,"enable_position_increments":true,"fuzziness":"AUTO","fuzzy_prefix_length":0,"fuzzy_max_expansions":50,"phrase_slop":0,"escape":false,"split_on_whitespace":true,"boost":1.0}},{"nested":{"query":{"query_string":{"query":"(timestamp:[1591801293000 TO 1591802193000] OR metron_alert.timestamp:[1591801293000 TO 1591802193000]) AND (hostname:10.0.0.1 OR metron_alert.hostname:10.0.0.1)","fields":[],"use_dis_max":true,"tie_breaker":0.0,"default_operator":"or","auto_generate_phrase_queries":false,"max_determinized_states":10000,"enable_position_increments":true,"fuzziness":"AUTO","fuzzy_prefix_length":0,"fuzzy_max_expansions":50,"phrase_slop":0,"escape":false,"split_on_whitespace":true,"boost":1.0}},"path":"metron_alert","ignore_unmapped":false,"score_mode":"none","boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}},{"bool":{"should":[{"term":{"status":{"value":"active","boost":1.0}}},{"bool":{"must_not":[{"exists":{"field":"status","boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}}],"must_not":[{"exists":{"field":"metaalerts","boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}},"boost":1.0}},"_source":{"includes":[],"excludes":[]},"sort":[{"timestamp":{"order":"desc","missing":"_last","unmapped_type":"other"}}],"track_scores":true,"aggregations":{"source:type_count":{"terms":{"field":"source:type","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}},"ip_src_addr_count":{"terms":{"field":"ip_src_addr","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}},"ip_dst_addr_count":{"terms":{"field":"ip_dst_addr","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}},"enrichments:geo:ip_dst_addr:country_count":{"terms":{"field":"enrichments:geo:ip_dst_addr:country","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}}}}'
at org.apache.metron.rest.service.impl.SearchServiceImpl.search(SearchServiceImpl.java:95) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.rest.controller.SearchController.search(SearchController.java:54) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at sun.reflect.GeneratedMethodAccessor335.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:209) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:102) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:877) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:783) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:991) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:925) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:974) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:877) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:851) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.AbstractRequestLoggingFilter.doFilterInternal(AbstractRequestLoggingFilter.java:245) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.rest.web.filter.ResponseLoggingFilter.doFilter(ResponseLoggingFilter.java:61) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_112]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
Caused by: org.apache.metron.indexing.dao.search.InvalidSearchException: Failed to execute search; error='ElasticsearchStatusException: Elasticsearch exception [type=parsing_exception, reason=[query_string] query does not support [use_dis_max]]', search='{"from":0,"size":25,"query":{"constant_score":{"filter":{"bool":{"must":[{"bool":{"should":[{"query_string":{"query":"(timestamp:[1591801293000 TO 1591802193000] OR metron_alert.timestamp:[1591801293000 TO 1591802193000]) AND (hostname:10.0.0.1 OR metron_alert.hostname:10.0.0.1)","fields":[],"use_dis_max":true,"tie_breaker":0.0,"default_operator":"or","auto_generate_phrase_queries":false,"max_determinized_states":10000,"enable_position_increments":true,"fuzziness":"AUTO","fuzzy_prefix_length":0,"fuzzy_max_expansions":50,"phrase_slop":0,"escape":false,"split_on_whitespace":true,"boost":1.0}},{"nested":{"query":{"query_string":{"query":"(timestamp:[1591801293000 TO 1591802193000] OR metron_alert.timestamp:[1591801293000 TO 1591802193000]) AND (hostname:10.0.0.1 OR metron_alert.hostname:10.0.0.1)","fields":[],"use_dis_max":true,"tie_breaker":0.0,"default_operator":"or","auto_generate_phrase_queries":false,"max_determinized_states":10000,"enable_position_increments":true,"fuzziness":"AUTO","fuzzy_prefix_length":0,"fuzzy_max_expansions":50,"phrase_slop":0,"escape":false,"split_on_whitespace":true,"boost":1.0}},"path":"metron_alert","ignore_unmapped":false,"score_mode":"none","boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}},{"bool":{"should":[{"term":{"status":{"value":"active","boost":1.0}}},{"bool":{"must_not":[{"exists":{"field":"status","boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}}],"must_not":[{"exists":{"field":"metaalerts","boost":1.0}}],"disable_coord":false,"adjust_pure_negative":true,"boost":1.0}},"boost":1.0}},"_source":{"includes":[],"excludes":[]},"sort":[{"timestamp":{"order":"desc","missing":"_last","unmapped_type":"other"}}],"track_scores":true,"aggregations":{"source:type_count":{"terms":{"field":"source:type","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}},"ip_src_addr_count":{"terms":{"field":"ip_src_addr","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}},"ip_dst_addr_count":{"terms":{"field":"ip_dst_addr","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}},"enrichments:geo:ip_dst_addr:country_count":{"terms":{"field":"enrichments:geo:ip_dst_addr:country","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_term":"asc"}]}}}}'
at org.apache.metron.elasticsearch.dao.ElasticsearchRequestSubmitter.submitSearch(ElasticsearchRequestSubmitter.java:72) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.elasticsearch.dao.ElasticsearchSearchDao.search(ElasticsearchSearchDao.java:128) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.elasticsearch.dao.ElasticsearchDao.search(ElasticsearchDao.java:199) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertSearchDao.search(ElasticsearchMetaAlertSearchDao.java:81) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertDao.search(ElasticsearchMetaAlertDao.java:209) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.rest.service.impl.SearchServiceImpl.search(SearchServiceImpl.java:92) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
... 94 more
Caused by: org.elasticsearch.ElasticsearchStatusException: Elasticsearch exception [type=parsing_exception, reason=[query_string] query does not support [use_dis_max]]
at org.elasticsearch.rest.BytesRestResponse.errorFromXContent(BytesRestResponse.java:177) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.elasticsearch.client.RestHighLevelClient.parseEntity(RestHighLevelClient.java:526) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.elasticsearch.client.RestHighLevelClient.parseResponseException(RestHighLevelClient.java:502) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:409) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:382) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.elasticsearch.client.RestHighLevelClient.search(RestHighLevelClient.java:323) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.elasticsearch.dao.ElasticsearchRequestSubmitter.submitSearch(ElasticsearchRequestSubmitter.java:62) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.elasticsearch.dao.ElasticsearchSearchDao.search(ElasticsearchSearchDao.java:128) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.elasticsearch.dao.ElasticsearchDao.search(ElasticsearchDao.java:199) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertSearchDao.search(ElasticsearchMetaAlertSearchDao.java:81) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertDao.search(ElasticsearchMetaAlertDao.java:209) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.rest.service.impl.SearchServiceImpl.search(SearchServiceImpl.java:92) ~[metron-rest-0.7.2.2.0.1.0-6-uber.jar:?]
... 94 more
Suppressed: org.elasticsearch.client.ResponseException: POST http://hostname:9200/name0_index*,name1_index*,name2_index*,name3_index*,name4_index*,name5_index*,asa_index*,name6_index*,name7_index*,name8_index*,jsonMapWrappedQuery_index*,snort_index*,bro_index*,yaf_index*,metaalert_index*/_search?typed_keys=true&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&search_type=query_then_fetch&batched_reduce_size=512: HTTP/1.1 400 Bad Request
{"error":{"root_cause":[{"type":"parsing_exception","reason":"[query_string] query does not support [use_dis_max]","line":1,"col":308}],"type":"parsing_exception","reason":"[query_string] query does not support [use_dis_max]","line":1,"col":308},"status":400}
at org.elasticsearch.client.RestClient$1.completed(RestClient.java:354) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.elasticsearch.client.RestClient$1.completed(RestClient.java:343) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.concurrent.BasicFuture.completed(BasicFuture.java:119) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:436) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:326) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:265) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:114) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at org.apache.metron.http.elasticsearch.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) ~[metron-elasticsearch-storm-0.7.2.2.0.1.0-6-uber.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]

 

 

Does anyone know how I can solve this error?

 

Thanks in advance.