https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-get-data-in-whit-elasticsearch-data-integrator-app/m-p/577476#M75680 <P>hi,</P> <P>We need to configure the TA-elasticsearch-data-integrator---modular-input app and we receive data.<BR />The problem is : we do receive data, but not all...</P> <P>here is the app conf:</P> <PRE>Name ALogName<BR />Intervalle 3600<BR />Index MyIndex<BR />Statut Activated<BR />Elasticsearch instance URL: MyName<BR />Port #: MyPort<BR />Use SSL 1<BR />Verify Certs 1<BR />CA Certs Path: /my/ca.pem<BR />User: MyUser<BR />Secret / Password: MyPassword<BR />Elasticsearch Indice: MyIndice<BR />Elasticsearch Date field name: @timestamp<BR />Time Preset: 30d<BR />Custom Source Type: json </PRE> <P>If i use CLI, with the exact same configuration, except i use match, I receive the good datas.</P> <PRE>curl -u "MyUser:MyPassword" -k "https://MyName:MyPort/MyIndice/_search?&amp;scroll=1m&amp;size=1000" -H 'Content-Type: application/json' -d'{"query": {"match": {"message": "MyMessage"}}, "sort": { "@timestamp": "desc" }}'<BR />{"_scroll_id":"[...]","took":695,"timed_out":false,"_shards":{"total":8,"successful":8,"skipped":0,"failed":0},"hits":{"total":{"value":3,"relation":"eq"},"max_score":null,"hits":[...MyData...]</PRE> <P>here is the logs of the app:</P> <PRE>2021-12-06 13:29:00,073 INFO pid=26584 tid=MainThread file=base.py:log_request_success:271 | POST https://MyName:MyPort/MyIndice/_search?scroll=2m&amp;size=1000 [status:200 request:0.870s]<BR />2021-12-06 13:37:12,701 WARNING pid=26584 tid=MainThread file=base.py:log_request_fail:299 | POST https://MyName:MyPort/_search/scroll [status:404 request:0.076s]<BR />2021-12-06 13:37:12,703 INFO pid=26584 tid=MainThread file=base.py:log_request_success:271 | DELETE https://MyName:MyPort/_search/scroll [status:404 request:0.002s]<BR />2021-12-06 13:37:12,705 ERROR pid=26584 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.<BR />Traceback (most recent call last):<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events<BR />self.collect_events(ew)<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/elasticsearch_json.py", line 104, in collect_events<BR />input_module.collect_events(self, ew)<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/input_module_elasticsearch_json.py", line 109, in collect_events<BR />for doc in res:<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/helpers/actions.py", line 589, in scan<BR />body={"scroll_id": scroll_id, "scroll": scroll}, **scroll_kwargs<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/client/utils.py", line 168, in _wrapped<BR />return func(*args, params=params, headers=headers, **kwargs)<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/client/__init__.py", line 1513, in scroll<BR />"POST", "/_search/scroll", params=params, headers=headers, body=body<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/transport.py", line 415, in perform_request<BR />raise e<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/transport.py", line 388, in perform_request<BR />timeout=timeout,<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/connection/http_urllib3.py", line 275, in perform_request<BR />self._raise_error(response.status, raw_data)<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/connection/base.py", line 331, in _raise_error<BR />status_code, error_message, additional_info<BR />elasticsearch.exceptions.NotFoundError: NotFoundError(404, 'search_phase_execution_exception', 'No search context found for id [9884105]')</PRE> <P>Any help would be great, thanks!</P> Wed, 09 Aug 2023 16:09:11 GMT Expl 2023-08-09T16:09:11Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-get-data-in-whit-elasticsearch-data-integrator-app/m-p/577476#M75680 <P>hi,</P> <P>We need to configure the TA-elasticsearch-data-integrator---modular-input app and we receive data.<BR />The problem is : we do receive data, but not all...</P> <P>here is the app conf:</P> <PRE>Name ALogName<BR />Intervalle 3600<BR />Index MyIndex<BR />Statut Activated<BR />Elasticsearch instance URL: MyName<BR />Port #: MyPort<BR />Use SSL 1<BR />Verify Certs 1<BR />CA Certs Path: /my/ca.pem<BR />User: MyUser<BR />Secret / Password: MyPassword<BR />Elasticsearch Indice: MyIndice<BR />Elasticsearch Date field name: @timestamp<BR />Time Preset: 30d<BR />Custom Source Type: json </PRE> <P>If i use CLI, with the exact same configuration, except i use match, I receive the good datas.</P> <PRE>curl -u "MyUser:MyPassword" -k "https://MyName:MyPort/MyIndice/_search?&amp;scroll=1m&amp;size=1000" -H 'Content-Type: application/json' -d'{"query": {"match": {"message": "MyMessage"}}, "sort": { "@timestamp": "desc" }}'<BR />{"_scroll_id":"[...]","took":695,"timed_out":false,"_shards":{"total":8,"successful":8,"skipped":0,"failed":0},"hits":{"total":{"value":3,"relation":"eq"},"max_score":null,"hits":[...MyData...]</PRE> <P>here is the logs of the app:</P> <PRE>2021-12-06 13:29:00,073 INFO pid=26584 tid=MainThread file=base.py:log_request_success:271 | POST https://MyName:MyPort/MyIndice/_search?scroll=2m&amp;size=1000 [status:200 request:0.870s]<BR />2021-12-06 13:37:12,701 WARNING pid=26584 tid=MainThread file=base.py:log_request_fail:299 | POST https://MyName:MyPort/_search/scroll [status:404 request:0.076s]<BR />2021-12-06 13:37:12,703 INFO pid=26584 tid=MainThread file=base.py:log_request_success:271 | DELETE https://MyName:MyPort/_search/scroll [status:404 request:0.002s]<BR />2021-12-06 13:37:12,705 ERROR pid=26584 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.<BR />Traceback (most recent call last):<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events<BR />self.collect_events(ew)<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/elasticsearch_json.py", line 104, in collect_events<BR />input_module.collect_events(self, ew)<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/input_module_elasticsearch_json.py", line 109, in collect_events<BR />for doc in res:<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/helpers/actions.py", line 589, in scan<BR />body={"scroll_id": scroll_id, "scroll": scroll}, **scroll_kwargs<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/client/utils.py", line 168, in _wrapped<BR />return func(*args, params=params, headers=headers, **kwargs)<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/client/__init__.py", line 1513, in scroll<BR />"POST", "/_search/scroll", params=params, headers=headers, body=body<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/transport.py", line 415, in perform_request<BR />raise e<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/transport.py", line 388, in perform_request<BR />timeout=timeout,<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/connection/http_urllib3.py", line 275, in perform_request<BR />self._raise_error(response.status, raw_data)<BR />File "/opt/splunk/etc/apps/TA-elasticsearch-data-integrator---modular-input/bin/ta_elasticsearch_data_integrator_modular_input/elasticsearch/connection/base.py", line 331, in _raise_error<BR />status_code, error_message, additional_info<BR />elasticsearch.exceptions.NotFoundError: NotFoundError(404, 'search_phase_execution_exception', 'No search context found for id [9884105]')</PRE> <P>Any help would be great, thanks!</P> Wed, 09 Aug 2023 16:09:11 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-get-data-in-whit-elasticsearch-data-integrator-app/m-p/577476#M75680 Expl 2023-08-09T16:09:11Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-get-data-in-whit-elasticsearch-data-integrator-app/m-p/653684#M79571 <P>Hi, we facing the same problem.</P><P>Did you get any help ?</P> Wed, 09 Aug 2023 07:03:36 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-get-data-in-whit-elasticsearch-data-integrator-app/m-p/653684#M79571 Brenny 2023-08-09T07:03:36Z