Create new detector / "mapper [query] cannot be changed from type [percolator_ext] to [text]" [BUG]

**What is the bug?**
Attempting to create a new detector (minimally configured) per. the documentation results in an error using both the dashboard or API.

**How can one reproduce the bug?**
Steps to reproduce the behavior:
1. Install fresh Opensearch w/Dashboards 2.4.0, using the helm chart on kubernetes.
2. Send data from a packetbeat (dns traffic) through logstash to an index (called packetbeat-8.5.0-2022.11.23 in this case)
3. Attempt to create any detector (GUI or API)

**What is the expected behavior?**
Detector is created, configured and runs.

**What is your host/environment?**
 - OS: Kubernetes 1.24.6 on Fedora CoreOS 411.36.4
 - Deployed with https://github.com/opensearch-project/helm-charts (nearly vanilla config)

**Do you have any screenshots?**
API log, Console Log and Dashboard screenshot attached.

**Do you have any additional context?**
Seems to be an underlying issue with mappings, but I am unable to troubleshoot further as the indexes are working exactly as expected with all other plugins.


<img width="384" alt="image" src="https://user-images.githubusercontent.com/5976429/203627977-ba480cc3-f957-4e64-a69a-a5a977bce3b7.png">

```
at org.opensearch.cluster.service.MasterService.executeTasks(MasterService.java:843) ~[opensearch-2.4.0.jar:2.4.0]
at org.opensearch.cluster.service.MasterService.calculateTaskOutputs(MasterService.java:414) ~[opensearch-2.4.0.jar:2.4.0]
at org.opensearch.cluster.service.MasterService.runTasks(MasterService.java:285) ~[opensearch-2.4.0.jar:2.4.0]
at org.opensearch.cluster.service.MasterService$Batcher.run(MasterService.java:196) ~[opensearch-2.4.0.jar:2.4.0]
at org.opensearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:176) ~[opensearch-2.4.0.jar:2.4.0]
at org.opensearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:214) ~[opensearch-2.4.0.jar:2.4.0]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:747) ~[opensearch-2.4.0.jar:2.4.0]
at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:282) ~[opensearch-2.4.0.jar:2.4.0]
at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:245) ~[opensearch-2.4.0.jar:2.4.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
at java.lang.Thread.run(Thread.java:833) ~[?:?]
uncaught exception in thread [DefaultDispatcher-worker-4]
RemoteTransportException[[scsp-internal-master-1][10.129.2.29:9300][indices:admin/mapping/put]]; nested: IllegalArgumentException[mapper [query] cannot be changed from type [percolator_ext] to [text]];
Caused by: java.lang.IllegalArgumentException: mapper [query] cannot be changed from type [percolator_ext] to [text]
at org.opensearch.index.mapper.ParametrizedFieldMapper.merge(ParametrizedFieldMapper.java:112)
at org.opensearch.index.mapper.ParametrizedFieldMapper.merge(ParametrizedFieldMapper.java:76)
at org.opensearch.index.mapper.ObjectMapper.doMerge(ObjectMapper.java:616)
at org.opensearch.index.mapper.RootObjectMapper.doMerge(RootObjectMapper.java:350)
at org.opensearch.index.mapper.ObjectMapper.merge(ObjectMapper.java:575)
at org.opensearch.index.mapper.RootObjectMapper.merge(RootObjectMapper.java:345)
at org.opensearch.index.mapper.Mapping.merge(Mapping.java:129)
at org.opensearch.index.mapper.DocumentMapper.merge(DocumentMapper.java:307)
at org.opensearch.cluster.metadata.MetadataMappingService$PutMappingExecutor.applyRequest(MetadataMappingService.java:271)
at org.opensearch.cluster.metadata.MetadataMappingService$PutMappingExecutor.execute(MetadataMappingService.java:237)
at org.opensearch.cluster.service.MasterService.executeTasks(MasterService.java:843)
at org.opensearch.cluster.service.MasterService.calculateTaskOutputs(MasterService.java:414)
at org.opensearch.cluster.service.MasterService.runTasks(MasterService.java:285)
at org.opensearch.cluster.service.MasterService$Batcher.run(MasterService.java:196)
at org.opensearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:176)
at org.opensearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:214)
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:747)
at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:282)
at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:245)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:833)
[2022-11-23T19:07:16,667][INFO ][o.o.j.s.JobSweeper ] [scsp-internal-master-3] Running full sweep
[2022-11-23T19:07:25,358][INFO ][o.o.a.a.AlertIndices ] [scsp-internal-master-3] Index mapping of .opensearch-sap-dns-alerts is updated
[2022-11-23T19:07:25,363][INFO ][o.o.a.a.AlertIndices ] [scsp-internal-master-3] Index mapping of .opensearch-sap-dns-alerts-history-2022.11.23-1 is updated
[2022-11-23T19:07:25,367][INFO ][o.o.a.a.AlertIndices ] [scsp-internal-master-3] Index mapping of .opensearch-sap-dns-findings-2022.11.23-1 is updated
[2022-11-23T19:07:25,375][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [scsp-internal-master-3] uncaught exception in thread [DefaultDispatcher-worker-5]
org.opensearch.transport.RemoteTransportException: [scsp-internal-master-1][10.129.2.29:9300][indices:admin/mapping/put]
```

```
POST _plugins/_security_analytics/detectors
{
  "enabled": true,
  "schedule": {
    "period": {
      "interval": 1,
      "unit": "MINUTES"
    }
  },
  "detector_type": "DNS",
  "type": "detector",
  "inputs": [
    {
      "detector_input": {
        "description": "dns detector for security analytics",
        "indices": [
          "packetbeat-8.5.0-2022.11.23"
        ],
        "pre_packaged_rules": [
          {
            "id": "8ae51330-899c-4641-8125-e39f2e07da72"
          }
        ]
      }
    }
  ],
  "name": "DNS Test"
}
```

```
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_analytics_exception",
        "reason" : "[scsp-internal-master-1][10.129.2.29:9300][indices:admin/mapping/put]"
      }
    ],
    "type" : "security_analytics_exception",
    "reason" : "[scsp-internal-master-1][10.129.2.29:9300][indices:admin/mapping/put]",
    "caused_by" : {
      "type" : "exception",
      "reason" : "org.opensearch.alerting.util.AlertingException: [scsp-internal-master-1][10.129.2.29:9300][indices:admin/mapping/put]"
    }
  },
  "status" : 500
}
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Create new detector / "mapper [query] cannot be changed from type [percolator_ext] to [text]" [BUG] #172

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Create new detector / "mapper [query] cannot be changed from type [percolator_ext] to [text]" [BUG] #172

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions