[jira] [Commented] (METRON-1567) Large error message can't be written in Solr

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16481249#comment-16481249
 ] 

ASF GitHub Bot commented on METRON-1567:


Github user simonellistonball commented on a diff in the pull request:

https://github.com/apache/metron/pull/1020#discussion_r189402062
  
--- Diff: 
metron-platform/metron-solr/src/main/config/schema/error/schema.xml ---
@@ -40,6 +39,8 @@
   
   guid
 
+  
+  
--- End diff --

Makes sense, +1 on this then. 


> Large error message can't be written in Solr
> 
>
> Key: METRON-1567
> URL: https://issues.apache.org/jira/browse/METRON-1567
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Assignee: Justin Leet
>Priority: Major
>
> Error message on the feature branch:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
> from server at 
> http://ip-11-0-1-51.us-west-2.compute.internal:8983/solr/error: Exception 
> writing document id cd6db5c1-f41b-4dcf-8f68-583c7fc08575 to the index; 
> possible analysis error: Document contains at least one immense term in 
> field="raw_message_1" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped. Please correct the analyzer to not produce 
> such terms. The prefix of the first immense term is: '[123, 34, 101, 120, 99, 
> 101, 112, 116, 105, 111, 110, 34, 58, 34, 106, 97, 118, 97, 46, 105, 111, 46, 
> 70, 105, 108, 101, 78, 111, 116, 70]...', original message: bytes can be at 
> most 32766 in length; got 165866. Perhaps the document has an indexed string 
> field (solr.StrField) which is too large
> at 
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:612)
>  ~[stormjar.jar:?]
> ...{code}
> This is a hard limit of string fields, per 
> https://lucene.apache.org/solr/guide/6_6/field-types-included-with-solr.html
> It also mentions they aren't tokenized or analyzed, so it doesn't seem like 
> we'd be able to turn this limit off.
> Text fields don't list any sort of limit (although they may still have one), 
> so we may want to switch to that, but it would require testing.
> Additionally, it appears that raw_message is dynamic (since it's getting _1, 
> but we don't define it in the schema).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron pull request #1020: METRON-1567: Large error message can't be written...

[simonellistonball]

Github user simonellistonball commented on a diff in the pull request:

https://github.com/apache/metron/pull/1020#discussion_r189402062
  
--- Diff: 
metron-platform/metron-solr/src/main/config/schema/error/schema.xml ---
@@ -40,6 +39,8 @@
   
   guid
 
+  
+  
--- End diff --

Makes sense, +1 on this then. 


---

[jira] [Commented] (METRON-1567) Large error message can't be written in Solr

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16481245#comment-16481245
 ] 

ASF GitHub Bot commented on METRON-1567:


Github user justinleet commented on a diff in the pull request:

https://github.com/apache/metron/pull/1020#discussion_r189401232
  
--- Diff: 
metron-platform/metron-solr/src/main/config/schema/error/schema.xml ---
@@ -40,6 +39,8 @@
   
   guid
 
+  
+  
--- End diff --

When the BulkWriterComponent hits an error, there's aggregation of the 
messages of the Tuples involved.

See:

https://github.com/apache/metron/blob/f072ed231f9acdf0957f0244b6402b2ecd9403a0/metron-platform/metron-writer/src/main/java/org/apache/metron/writer/BulkWriterComponent.java#L117

And:

https://github.com/apache/metron/blob/358e40bd17d5de2a380a91115eaee9ebd3a453f6/metron-platform/metron-common/src/main/java/org/apache/metron/common/error/MetronError.java#L147


> Large error message can't be written in Solr
> 
>
> Key: METRON-1567
> URL: https://issues.apache.org/jira/browse/METRON-1567
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Assignee: Justin Leet
>Priority: Major
>
> Error message on the feature branch:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
> from server at 
> http://ip-11-0-1-51.us-west-2.compute.internal:8983/solr/error: Exception 
> writing document id cd6db5c1-f41b-4dcf-8f68-583c7fc08575 to the index; 
> possible analysis error: Document contains at least one immense term in 
> field="raw_message_1" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped. Please correct the analyzer to not produce 
> such terms. The prefix of the first immense term is: '[123, 34, 101, 120, 99, 
> 101, 112, 116, 105, 111, 110, 34, 58, 34, 106, 97, 118, 97, 46, 105, 111, 46, 
> 70, 105, 108, 101, 78, 111, 116, 70]...', original message: bytes can be at 
> most 32766 in length; got 165866. Perhaps the document has an indexed string 
> field (solr.StrField) which is too large
> at 
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:612)
>  ~[stormjar.jar:?]
> ...{code}
> This is a hard limit of string fields, per 
> https://lucene.apache.org/solr/guide/6_6/field-types-included-with-solr.html
> It also mentions they aren't tokenized or analyzed, so it doesn't seem like 
> we'd be able to turn this limit off.
> Text fields don't list any sort of limit (although they may still have one), 
> so we may want to switch to that, but it would require testing.
> Additionally, it appears that raw_message is dynamic (since it's getting _1, 
> but we don't define it in the schema).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron pull request #1020: METRON-1567: Large error message can't be written...

[justinleet]

Github user justinleet commented on a diff in the pull request:

https://github.com/apache/metron/pull/1020#discussion_r189401232
  
--- Diff: 
metron-platform/metron-solr/src/main/config/schema/error/schema.xml ---
@@ -40,6 +39,8 @@
   
   guid
 
+  
+  
--- End diff --

When the BulkWriterComponent hits an error, there's aggregation of the 
messages of the Tuples involved.

See:

https://github.com/apache/metron/blob/f072ed231f9acdf0957f0244b6402b2ecd9403a0/metron-platform/metron-writer/src/main/java/org/apache/metron/writer/BulkWriterComponent.java#L117

And:

https://github.com/apache/metron/blob/358e40bd17d5de2a380a91115eaee9ebd3a453f6/metron-platform/metron-common/src/main/java/org/apache/metron/common/error/MetronError.java#L147


---

[jira] [Commented] (METRON-1567) Large error message can't be written in Solr

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16481225#comment-16481225
 ] 

ASF GitHub Bot commented on METRON-1567:


Github user simonellistonball commented on a diff in the pull request:

https://github.com/apache/metron/pull/1020#discussion_r189398418
  
--- Diff: 
metron-platform/metron-solr/src/main/config/schema/error/schema.xml ---
@@ -40,6 +39,8 @@
   
   guid
 
+  
+  
--- End diff --

Out of curiosity, under which circumstances do we get multiple raw 
messages? 


> Large error message can't be written in Solr
> 
>
> Key: METRON-1567
> URL: https://issues.apache.org/jira/browse/METRON-1567
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Assignee: Justin Leet
>Priority: Major
>
> Error message on the feature branch:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
> from server at 
> http://ip-11-0-1-51.us-west-2.compute.internal:8983/solr/error: Exception 
> writing document id cd6db5c1-f41b-4dcf-8f68-583c7fc08575 to the index; 
> possible analysis error: Document contains at least one immense term in 
> field="raw_message_1" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped. Please correct the analyzer to not produce 
> such terms. The prefix of the first immense term is: '[123, 34, 101, 120, 99, 
> 101, 112, 116, 105, 111, 110, 34, 58, 34, 106, 97, 118, 97, 46, 105, 111, 46, 
> 70, 105, 108, 101, 78, 111, 116, 70]...', original message: bytes can be at 
> most 32766 in length; got 165866. Perhaps the document has an indexed string 
> field (solr.StrField) which is too large
> at 
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:612)
>  ~[stormjar.jar:?]
> ...{code}
> This is a hard limit of string fields, per 
> https://lucene.apache.org/solr/guide/6_6/field-types-included-with-solr.html
> It also mentions they aren't tokenized or analyzed, so it doesn't seem like 
> we'd be able to turn this limit off.
> Text fields don't list any sort of limit (although they may still have one), 
> so we may want to switch to that, but it would require testing.
> Additionally, it appears that raw_message is dynamic (since it's getting _1, 
> but we don't define it in the schema).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron pull request #1020: METRON-1567: Large error message can't be written...

[simonellistonball]

Github user simonellistonball commented on a diff in the pull request:

https://github.com/apache/metron/pull/1020#discussion_r189398418
  
--- Diff: 
metron-platform/metron-solr/src/main/config/schema/error/schema.xml ---
@@ -40,6 +39,8 @@
   
   guid
 
+  
+  
--- End diff --

Out of curiosity, under which circumstances do we get multiple raw 
messages? 


---

[jira] [Commented] (METRON-1567) Large error message can't be written in Solr

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480975#comment-16480975
 ] 

ASF GitHub Bot commented on METRON-1567:


Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1020
  
Closing manually because feature branch


> Large error message can't be written in Solr
> 
>
> Key: METRON-1567
> URL: https://issues.apache.org/jira/browse/METRON-1567
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Assignee: Justin Leet
>Priority: Major
>
> Error message on the feature branch:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
> from server at 
> http://ip-11-0-1-51.us-west-2.compute.internal:8983/solr/error: Exception 
> writing document id cd6db5c1-f41b-4dcf-8f68-583c7fc08575 to the index; 
> possible analysis error: Document contains at least one immense term in 
> field="raw_message_1" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped. Please correct the analyzer to not produce 
> such terms. The prefix of the first immense term is: '[123, 34, 101, 120, 99, 
> 101, 112, 116, 105, 111, 110, 34, 58, 34, 106, 97, 118, 97, 46, 105, 111, 46, 
> 70, 105, 108, 101, 78, 111, 116, 70]...', original message: bytes can be at 
> most 32766 in length; got 165866. Perhaps the document has an indexed string 
> field (solr.StrField) which is too large
> at 
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:612)
>  ~[stormjar.jar:?]
> ...{code}
> This is a hard limit of string fields, per 
> https://lucene.apache.org/solr/guide/6_6/field-types-included-with-solr.html
> It also mentions they aren't tokenized or analyzed, so it doesn't seem like 
> we'd be able to turn this limit off.
> Text fields don't list any sort of limit (although they may still have one), 
> so we may want to switch to that, but it would require testing.
> Additionally, it appears that raw_message is dynamic (since it's getting _1, 
> but we don't define it in the schema).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (METRON-1567) Large error message can't be written in Solr

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480976#comment-16480976
 ] 

ASF GitHub Bot commented on METRON-1567:


Github user justinleet closed the pull request at:

https://github.com/apache/metron/pull/1020


> Large error message can't be written in Solr
> 
>
> Key: METRON-1567
> URL: https://issues.apache.org/jira/browse/METRON-1567
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Assignee: Justin Leet
>Priority: Major
>
> Error message on the feature branch:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
> from server at 
> http://ip-11-0-1-51.us-west-2.compute.internal:8983/solr/error: Exception 
> writing document id cd6db5c1-f41b-4dcf-8f68-583c7fc08575 to the index; 
> possible analysis error: Document contains at least one immense term in 
> field="raw_message_1" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped. Please correct the analyzer to not produce 
> such terms. The prefix of the first immense term is: '[123, 34, 101, 120, 99, 
> 101, 112, 116, 105, 111, 110, 34, 58, 34, 106, 97, 118, 97, 46, 105, 111, 46, 
> 70, 105, 108, 101, 78, 111, 116, 70]...', original message: bytes can be at 
> most 32766 in length; got 165866. Perhaps the document has an indexed string 
> field (solr.StrField) which is too large
> at 
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:612)
>  ~[stormjar.jar:?]
> ...{code}
> This is a hard limit of string fields, per 
> https://lucene.apache.org/solr/guide/6_6/field-types-included-with-solr.html
> It also mentions they aren't tokenized or analyzed, so it doesn't seem like 
> we'd be able to turn this limit off.
> Text fields don't list any sort of limit (although they may still have one), 
> so we may want to switch to that, but it would require testing.
> Additionally, it appears that raw_message is dynamic (since it's getting _1, 
> but we don't define it in the schema).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron issue #1020: METRON-1567: Large error message can't be written in Sol...

[justinleet]

Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1020
  
Closing manually because feature branch


---

[jira] [Commented] (METRON-1548) Alerts UI: Remove hardcoded source:type and other fields that may vary

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480969#comment-16480969
 ] 

ASF GitHub Bot commented on METRON-1548:


Github user asfgit closed the pull request at:

https://github.com/apache/metron/pull/1010


> Alerts UI: Remove hardcoded source:type and other fields that may vary
> --
>
> Key: METRON-1548
> URL: https://issues.apache.org/jira/browse/METRON-1548
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Priority: Major
>
> In Solr, we use source.type instead of source:type (which was originally due 
> to ES limitations, we'd prefer it to be common across both). However, it's 
> hardcoded in the alerts UI to be source:type, so nothing in the UI has a 
> source type and it breaks other things like metaalerts (which rely on source 
> type for being able to pull the data together).
> Any other configs / queries that would cause similar problems should be 
> updated appropriately.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron pull request #1010: METRON-1548: Remove hardcoded source:type from Al...

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/metron/pull/1010


---

[jira] [Commented] (METRON-1548) Alerts UI: Remove hardcoded source:type and other fields that may vary

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480869#comment-16480869
 ] 

ASF GitHub Bot commented on METRON-1548:


Github user merrimanr commented on the issue:

https://github.com/apache/metron/pull/1010
  
+1 pending travis


> Alerts UI: Remove hardcoded source:type and other fields that may vary
> --
>
> Key: METRON-1548
> URL: https://issues.apache.org/jira/browse/METRON-1548
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Priority: Major
>
> In Solr, we use source.type instead of source:type (which was originally due 
> to ES limitations, we'd prefer it to be common across both). However, it's 
> hardcoded in the alerts UI to be source:type, so nothing in the UI has a 
> source type and it breaks other things like metaalerts (which rely on source 
> type for being able to pull the data together).
> Any other configs / queries that would cause similar problems should be 
> updated appropriately.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron issue #1010: METRON-1548: Remove hardcoded source:type from Alerts UI

[merrimanr]

Github user merrimanr commented on the issue:

https://github.com/apache/metron/pull/1010
  
+1 pending travis


---

[jira] [Commented] (METRON-1567) Large error message can't be written in Solr

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480767#comment-16480767
 ] 

ASF GitHub Bot commented on METRON-1567:


Github user cestella commented on the issue:

https://github.com/apache/metron/pull/1020
  
+1 by inspection


> Large error message can't be written in Solr
> 
>
> Key: METRON-1567
> URL: https://issues.apache.org/jira/browse/METRON-1567
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Assignee: Justin Leet
>Priority: Major
>
> Error message on the feature branch:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
> from server at 
> http://ip-11-0-1-51.us-west-2.compute.internal:8983/solr/error: Exception 
> writing document id cd6db5c1-f41b-4dcf-8f68-583c7fc08575 to the index; 
> possible analysis error: Document contains at least one immense term in 
> field="raw_message_1" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped. Please correct the analyzer to not produce 
> such terms. The prefix of the first immense term is: '[123, 34, 101, 120, 99, 
> 101, 112, 116, 105, 111, 110, 34, 58, 34, 106, 97, 118, 97, 46, 105, 111, 46, 
> 70, 105, 108, 101, 78, 111, 116, 70]...', original message: bytes can be at 
> most 32766 in length; got 165866. Perhaps the document has an indexed string 
> field (solr.StrField) which is too large
> at 
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:612)
>  ~[stormjar.jar:?]
> ...{code}
> This is a hard limit of string fields, per 
> https://lucene.apache.org/solr/guide/6_6/field-types-included-with-solr.html
> It also mentions they aren't tokenized or analyzed, so it doesn't seem like 
> we'd be able to turn this limit off.
> Text fields don't list any sort of limit (although they may still have one), 
> so we may want to switch to that, but it would require testing.
> Additionally, it appears that raw_message is dynamic (since it's getting _1, 
> but we don't define it in the schema).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron issue #1020: METRON-1567: Large error message can't be written in Sol...

[cestella]

Github user cestella commented on the issue:

https://github.com/apache/metron/pull/1020
  
+1 by inspection


---

[jira] [Commented] (METRON-1567) Large error message can't be written in Solr

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480764#comment-16480764
 ] 

ASF GitHub Bot commented on METRON-1567:


GitHub user justinleet opened a pull request:

https://github.com/apache/metron/pull/1020

METRON-1567: Large error message can't be written in Solr

## Contributor Comments
This PR is against the feature branch.

There's a hard limit of ~32kb on string fields.  This migrates the 
raw_message fields to an unanalyzed TextField type, along with making it a 
dynamic field to handle the split into raw_messages_.

An integration test is added for this behavior which ensures no error is 
thrown on huge text, ensures the multiple values work as expected the say way, 
and that a plain string field does actually cause problems.

## Pull Request Checklist

Thank you for submitting a contribution to Apache Metron.  
Please refer to our [Development 
Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235)
 for the complete guide to follow for contributions.  
Please refer also to our [Build Verification 
Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview)
 for complete smoke testing guides.  


In order to streamline the review of the contribution we ask you follow 
these guidelines and ask you to double check the following:

### For all changes:
- [x] Is there a JIRA ticket associated with this PR? If not one needs to 
be created at [Metron 
Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [x] Does your PR title start with METRON- where  is the JIRA 
number you are trying to resolve? Pay particular attention to the hyphen "-" 
character.
- [x] Has your PR been rebased against the latest commit within the target 
branch (typically master)?


### For code changes:
- [x] Have you included steps to reproduce the behavior or problem that is 
being changed or addressed?
- [x] Have you included steps or a guide to how the change may be verified 
and tested manually?
- [ ] Have you ensured that the full suite of tests and checks have been 
executed in the root metron folder via:
  ```
  mvn -q clean integration-test install && 
dev-utilities/build-utils/verify_licenses.sh 
  ```

- [x] Have you written or updated unit tests and or integration tests to 
verify your changes?
- [ ] Have you verified the basic functionality of the build by building 
and running locally with Vagrant full-dev environment or the equivalent?

 Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.
It is also recommended that [travis-ci](https://travis-ci.org) is set up 
for your personal repository such that your branches are built there before 
submitting a pull request.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/justinleet/metron errorRawSchema

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/metron/pull/1020.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1020


commit 49c6971de3c9caa87db557a1c3a2a27ef6ef886c
Author: justinjleet 
Date:   2018-05-18T14:47:29Z

Schema change and integration test




> Large error message can't be written in Solr
> 
>
> Key: METRON-1567
> URL: https://issues.apache.org/jira/browse/METRON-1567
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Assignee: Justin Leet
>Priority: Major
>
> Error message on the feature branch:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
> from server at 
> http://ip-11-0-1-51.us-west-2.compute.internal:8983/solr/error: Exception 
> writing document id cd6db5c1-f41b-4dcf-8f68-583c7fc08575 to the index; 
> possible analysis error: Document contains at least one immense term in 
> field="raw_message_1" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped. Please correct the analyzer to not produce 
> such terms. The prefix of the first immense term is: '[123, 34, 101, 120, 99, 
> 101, 112, 116, 105, 111, 110, 34, 58, 34, 106, 97, 118, 97, 46, 105, 111, 46, 
> 70, 105, 108, 101, 78, 111, 116, 70]...', original message: bytes can be at 
> most 32766 in length; got 165866. Perhaps the document has an indexed string 
> field (solr.StrField) which is too large
> at 
> 

[jira] [Updated] (METRON-1567) Large error message can't be written in Solr

[Justin Leet (JIRA)]

 [ 
https://issues.apache.org/jira/browse/METRON-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Leet updated METRON-1567:

Summary: Large error message can't be written in Solr  (was: Large error 
message can't be written)

> Large error message can't be written in Solr
> 
>
> Key: METRON-1567
> URL: https://issues.apache.org/jira/browse/METRON-1567
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Assignee: Justin Leet
>Priority: Major
>
> Error message on the feature branch:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
> from server at 
> http://ip-11-0-1-51.us-west-2.compute.internal:8983/solr/error: Exception 
> writing document id cd6db5c1-f41b-4dcf-8f68-583c7fc08575 to the index; 
> possible analysis error: Document contains at least one immense term in 
> field="raw_message_1" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped. Please correct the analyzer to not produce 
> such terms. The prefix of the first immense term is: '[123, 34, 101, 120, 99, 
> 101, 112, 116, 105, 111, 110, 34, 58, 34, 106, 97, 118, 97, 46, 105, 111, 46, 
> 70, 105, 108, 101, 78, 111, 116, 70]...', original message: bytes can be at 
> most 32766 in length; got 165866. Perhaps the document has an indexed string 
> field (solr.StrField) which is too large
> at 
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:612)
>  ~[stormjar.jar:?]
> ...{code}
> This is a hard limit of string fields, per 
> https://lucene.apache.org/solr/guide/6_6/field-types-included-with-solr.html
> It also mentions they aren't tokenized or analyzed, so it doesn't seem like 
> we'd be able to turn this limit off.
> Text fields don't list any sort of limit (although they may still have one), 
> so we may want to switch to that, but it would require testing.
> Additionally, it appears that raw_message is dynamic (since it's getting _1, 
> but we don't define it in the schema).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (METRON-1564) Full dev kafka has offsets.topic.replication.factor set to 3 instead of 1

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480646#comment-16480646
 ] 

ASF GitHub Bot commented on METRON-1564:


Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1016
  
I resolved this, but realized I should add onto Mike's comment for anyone 
else who looks back at this.

The Ambari tooltip just documents the Kafka behavior, rather than being an 
indication of something Ambari handles.  The latest Ambari tooltip doesn't 
reference the min behavior anymore, because it no longer occurs.


> Full dev kafka has offsets.topic.replication.factor set to 3 instead of 1
> -
>
> Key: METRON-1564
> URL: https://issues.apache.org/jira/browse/METRON-1564
> Project: Metron
>  Issue Type: Bug
>Reporter: Justin Leet
>Assignee: Justin Leet
>Priority: Major
>
> I saw an issue where no data was flowing through any topologies. A repeated 
> error in kafka showed offsets.topic.replication.factor being too low. We 
> should default this on full dev to 1 to avoid this issue.
> On further investigation, it looks like this setting changes between kafka 
> versions and will no longer auto create the offset topic on some versions if 
> the replication factor is too high, preventing data from flowing through.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron issue #1016: METRON-1564: Full dev kafka has offsets.topic.replicatio...

[justinleet]

Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1016
  
I resolved this, but realized I should add onto Mike's comment for anyone 
else who looks back at this.

The Ambari tooltip just documents the Kafka behavior, rather than being an 
indication of something Ambari handles.  The latest Ambari tooltip doesn't 
reference the min behavior anymore, because it no longer occurs.


---

[jira] [Commented] (METRON-1544) Flaky test: org.apache.metron.stellar.common.CachingStellarProcessorTest#testCaching

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480630#comment-16480630
 ] 

ASF GitHub Bot commented on METRON-1544:


Github user nickwallen commented on the issue:

https://github.com/apache/metron/pull/1015
  
@mmiklavc bump. Did I answer your question?  How is this looking?


> Flaky test: 
> org.apache.metron.stellar.common.CachingStellarProcessorTest#testCaching
> 
>
> Key: METRON-1544
> URL: https://issues.apache.org/jira/browse/METRON-1544
> Project: Metron
>  Issue Type: Bug
>Affects Versions: 0.4.3
> Environment: #uname -a
> Linux 60a83dc7a2ce 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 
> 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: Pravin Dsilva
>Assignee: Nick Allen
>Priority: Major
>
> command used: mvn test
> The test fails intermittently on master branch.
> {code:java}
> Running org.apache.metron.stellar.common.CachingStellarProcessorTest
> Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.054 sec <<< 
> FAILURE! - in org.apache.metron.stellar.common.CachingStellarProcessorTest
> testCaching(org.apache.metron.stellar.common.CachingStellarProcessorTest) 
> Time elapsed: 0.053 sec <<< FAILURE!
> java.lang.AssertionError: expected:<6> but was:<4>
>  at org.junit.Assert.fail(Assert.java:88)
>  at org.junit.Assert.failNotEquals(Assert.java:834)
>  at org.junit.Assert.assertEquals(Assert.java:645)
>  at org.junit.Assert.assertEquals(Assert.java:631)
>  at 
> org.apache.metron.stellar.common.CachingStellarProcessorTest.testCaching(CachingStellarProcessorTest.java:73)
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>  at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>  at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  at java.lang.reflect.Method.invoke(Method.java:498)
>  at 
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
>  at 
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
>  at 
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
>  at 
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
>  at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
>  at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
>  at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
>  at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
>  at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
>  at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
>  at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
>  at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
>  at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
>  at 
> org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:283)
>  at 
> org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:173)
>  at 
> org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:153)
>  at 
> org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:128)
>  at 
> org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:203)
>  at 
> org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:155)
>  at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103)
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron issue #1015: METRON-1544 Flaky test: org.apache.metron.stellar.common...

[nickwallen]

Github user nickwallen commented on the issue:

https://github.com/apache/metron/pull/1015
  
@mmiklavc bump. Did I answer your question?  How is this looking?


---

[jira] [Commented] (METRON-1548) Alerts UI: Remove hardcoded source:type and other fields that may vary

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480623#comment-16480623
 ] 

ASF GitHub Bot commented on METRON-1548:


Github user sardell commented on a diff in the pull request:

https://github.com/apache/metron/pull/1010#discussion_r189261776
  
--- Diff: 
metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts
 ---
@@ -77,12 +80,24 @@ export class TableViewComponent implements OnChanges {
   searchService: SearchService,
   metronDialogBox: MetronDialogBox,
   updateService: UpdateService,
-  metaAlertService: MetaAlertService) {
+  metaAlertService: MetaAlertService,
+  globalConfigService: GlobalConfigService) {
 this.router = router;
 this.searchService = searchService;
 this.metronDialogBox = metronDialogBox;
 this.updateService = updateService;
 this.metaAlertService = metaAlertService;
+this.globalConfigService = globalConfigService;
+  }
+
+  ngOnInit() {
+this.globalConfigService.get().subscribe((config: {}) => {
+  this.globalConfig = config;
+  if (this.globalConfig['source.type.field'] === 'source.type' && 
!this.alertsColumnsToDisplay['source.type']) {
--- End diff --

@merrimanr Good point. What if we check if a config property of 
['source.type.field'] exists and change it to whatever value it has. If no 
config exists, default to `source:type` (to catch existing users without a 
config property set)?

```
if (this.globalConfig['source.type.field']) {
this.alertsColumnsToDisplay.splice(2, 0, new 
ColumnMetadata(config['source.type.field'], 'string'));
  } 
else {
this.alertsColumnsToDisplay.splice(2, 0, new 
ColumnMetadata(config['source:type'], 'string'));
  }
```


> Alerts UI: Remove hardcoded source:type and other fields that may vary
> --
>
> Key: METRON-1548
> URL: https://issues.apache.org/jira/browse/METRON-1548
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Priority: Major
>
> In Solr, we use source.type instead of source:type (which was originally due 
> to ES limitations, we'd prefer it to be common across both). However, it's 
> hardcoded in the alerts UI to be source:type, so nothing in the UI has a 
> source type and it breaks other things like metaalerts (which rely on source 
> type for being able to pull the data together).
> Any other configs / queries that would cause similar problems should be 
> updated appropriately.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (METRON-1548) Alerts UI: Remove hardcoded source:type and other fields that may vary

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480621#comment-16480621
 ] 

ASF GitHub Bot commented on METRON-1548:


Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1010
  
I think the general ES migration to source.type is outside the scope of 
this PR.  That would have to be part of a larger migration anyway since you'd 
have to reindex data on an existing metron cluster to do that.  I'm sure we'll 
want to think about it at some point, though.


> Alerts UI: Remove hardcoded source:type and other fields that may vary
> --
>
> Key: METRON-1548
> URL: https://issues.apache.org/jira/browse/METRON-1548
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Priority: Major
>
> In Solr, we use source.type instead of source:type (which was originally due 
> to ES limitations, we'd prefer it to be common across both). However, it's 
> hardcoded in the alerts UI to be source:type, so nothing in the UI has a 
> source type and it breaks other things like metaalerts (which rely on source 
> type for being able to pull the data together).
> Any other configs / queries that would cause similar problems should be 
> updated appropriately.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron pull request #1010: METRON-1548: Remove hardcoded source:type from Al...

[sardell]

Github user sardell commented on a diff in the pull request:

https://github.com/apache/metron/pull/1010#discussion_r189261776
  
--- Diff: 
metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts
 ---
@@ -77,12 +80,24 @@ export class TableViewComponent implements OnChanges {
   searchService: SearchService,
   metronDialogBox: MetronDialogBox,
   updateService: UpdateService,
-  metaAlertService: MetaAlertService) {
+  metaAlertService: MetaAlertService,
+  globalConfigService: GlobalConfigService) {
 this.router = router;
 this.searchService = searchService;
 this.metronDialogBox = metronDialogBox;
 this.updateService = updateService;
 this.metaAlertService = metaAlertService;
+this.globalConfigService = globalConfigService;
+  }
+
+  ngOnInit() {
+this.globalConfigService.get().subscribe((config: {}) => {
+  this.globalConfig = config;
+  if (this.globalConfig['source.type.field'] === 'source.type' && 
!this.alertsColumnsToDisplay['source.type']) {
--- End diff --

@merrimanr Good point. What if we check if a config property of 
['source.type.field'] exists and change it to whatever value it has. If no 
config exists, default to `source:type` (to catch existing users without a 
config property set)?

```
if (this.globalConfig['source.type.field']) {
this.alertsColumnsToDisplay.splice(2, 0, new 
ColumnMetadata(config['source.type.field'], 'string'));
  } 
else {
this.alertsColumnsToDisplay.splice(2, 0, new 
ColumnMetadata(config['source:type'], 'string'));
  }
```


---

[GitHub] metron issue #1010: METRON-1548: Remove hardcoded source:type from Alerts UI

[justinleet]

Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1010
  
I think the general ES migration to source.type is outside the scope of 
this PR.  That would have to be part of a larger migration anyway since you'd 
have to reindex data on an existing metron cluster to do that.  I'm sure we'll 
want to think about it at some point, though.


---

[jira] [Commented] (METRON-1548) Alerts UI: Remove hardcoded source:type and other fields that may vary

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480617#comment-16480617
 ] 

ASF GitHub Bot commented on METRON-1548:


Github user merrimanr commented on the issue:

https://github.com/apache/metron/pull/1010
  
@justinleet I agree with you that it's not a serious problem.  I think it 
can be solved more easily with documentation and some manual steps from the 
user.  There is some logic we need to fix, specifically around substituting the 
source.type.field value for "source:type" (I added comments for those).  Other 
than that, I'm good with documenting how to switch to Solr in the Solr feature 
branch.

There is also the case of upgrading ES and using "source.type" since that 
name is allowed in later versions.  Is that something we need to think about 
and document?  


> Alerts UI: Remove hardcoded source:type and other fields that may vary
> --
>
> Key: METRON-1548
> URL: https://issues.apache.org/jira/browse/METRON-1548
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Priority: Major
>
> In Solr, we use source.type instead of source:type (which was originally due 
> to ES limitations, we'd prefer it to be common across both). However, it's 
> hardcoded in the alerts UI to be source:type, so nothing in the UI has a 
> source type and it breaks other things like metaalerts (which rely on source 
> type for being able to pull the data together).
> Any other configs / queries that would cause similar problems should be 
> updated appropriately.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (METRON-1565) Metaalerts fix denormalization after moving to active status

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480605#comment-16480605
 ] 

ASF GitHub Bot commented on METRON-1565:


Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1017
  
+1 by inspection.  Thanks for the contribution!


> Metaalerts fix denormalization after moving to active status
> 
>
> Key: METRON-1565
> URL: https://issues.apache.org/jira/browse/METRON-1565
> Project: Metron
>  Issue Type: Bug
>Reporter: Ryan Merriman
>Assignee: Ryan Merriman
>Priority: Major
>
> The process of updating from inactive to active is slightly incomplete. Check 
> out 
> [https://github.com/apache/metron/pull/970/files#diff-b7359d01c3ffbed48b7fdaa2d32169e7R246].
> Say we have these three steps:
>  - Metaalert is updated to inactive
>  - (Former) child alert is updated.
>  - Metaalert is made active again.
> The update will be missing from the metaalert. We need to update the 
> metaalert with the current state of any alerts (which we conveniently have 
> because we needed to update them all anyway!). This is a problem with both ES 
> and Solr (which shouldn't be surprising since that link is to the abstract 
> DAO). Basically, this should just be adding all the alerts in the metaalert 
> back into the updated version of the document before passing it to the 
> update. It also needs an associated test case.
> This fix should be made against master and pulled into the Solr branch (and 
> the metaalerts PR afterwards). See 
> [https://github.com/apache/metron/blob/e59059bd9707a6ca46c4137d796b8f2943f06b43/metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java#L351].
>  Main thing might just be reordering the class to build the metaalert update 
> itself after grabbing all the alerts.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron issue #1017: METRON-1565: Metaalerts fix denormalization after moving...

[justinleet]

Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1017
  
+1 by inspection.  Thanks for the contribution!


---

[jira] [Commented] (METRON-1548) Alerts UI: Remove hardcoded source:type and other fields that may vary

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/METRON-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480513#comment-16480513
 ] 

ASF GitHub Bot commented on METRON-1548:


Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1010
  
@merrimanr After thinking about this a bit, is that actually a serious 
problem?  This setting is likely to only be done on initial install (e.g. when 
selecting Solr or ES).  Switching midlife is unlikely to be a problem for the 
vast majority of users.  Most users should never see the problem of it being 
switched because they'd never see `source:type` instead of `source.type` or 
vice versa, because you'd have to reindex all your old data into the new format 
anyway.  We'd need to improve documentation in the Solr feature branch to 
ensure that users initially set it up appropriately.

Another way of going about this might be to have the app itself get config 
updates on the fly similar to how our topologies do, given that this particular 
one is from ZK.  At that point, you could do the mapping from old source type 
to new source type and update the storage appropriately.  I'm sure there's way 
more to it than just doing that though (when do you update UI for users, what 
are the potential snags in updating that when users are querying, etc.).


> Alerts UI: Remove hardcoded source:type and other fields that may vary
> --
>
> Key: METRON-1548
> URL: https://issues.apache.org/jira/browse/METRON-1548
> Project: Metron
>  Issue Type: Sub-task
>Reporter: Justin Leet
>Priority: Major
>
> In Solr, we use source.type instead of source:type (which was originally due 
> to ES limitations, we'd prefer it to be common across both). However, it's 
> hardcoded in the alerts UI to be source:type, so nothing in the UI has a 
> source type and it breaks other things like metaalerts (which rely on source 
> type for being able to pull the data together).
> Any other configs / queries that would cause similar problems should be 
> updated appropriately.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] metron issue #1010: METRON-1548: Remove hardcoded source:type from Alerts UI

[justinleet]

Github user justinleet commented on the issue:

https://github.com/apache/metron/pull/1010
  
@merrimanr After thinking about this a bit, is that actually a serious 
problem?  This setting is likely to only be done on initial install (e.g. when 
selecting Solr or ES).  Switching midlife is unlikely to be a problem for the 
vast majority of users.  Most users should never see the problem of it being 
switched because they'd never see `source:type` instead of `source.type` or 
vice versa, because you'd have to reindex all your old data into the new format 
anyway.  We'd need to improve documentation in the Solr feature branch to 
ensure that users initially set it up appropriately.

Another way of going about this might be to have the app itself get config 
updates on the fly similar to how our topologies do, given that this particular 
one is from ZK.  At that point, you could do the mapping from old source type 
to new source type and update the storage appropriately.  I'm sure there's way 
more to it than just doing that though (when do you update UI for users, what 
are the potential snags in updating that when users are querying, etc.).


---