Before you begin reading this guide, we recommend you try running the Elasticsearch Error Check-Up which analyzes 2 JSON files to detect many configuration errors.
Briefly, this error occurs when a query string in Elasticsearch starts with a certain character or word. Elasticsearch may reject certain characters or words at the beginning of a query string for security reasons. To resolve the issue, remove the offending character or word from the beginning of the query string.
To easily locate the root cause and resolve this issue try AutoOps for Elasticsearch & OpenSearch. It diagnoses problems by analyzing hundreds of metrics collected by a lightweight agent and offers guidance for resolving them.
Take a self-guided product tour to see for yourself (no registration required).
This guide will help you check for common problems that cause the log ” must not start with ‘_’. ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: metadata and cluster.
Overview
Metadata in Elasticsearch refers to additional information stored for each document. This is achieved using the specific metadata fields available in Elasticsearch. The default behavior of some of these metadata fields can be customized during mapping creation.
Examples
Using _meta meta-field for storing application-specific information with the mapping:
PUT /my_index?pretty
{
"mappings": {
"_meta": {
"domain": "security",
"release_information": {
"date": "18-01-2020",
"version": "7.5"
}
}
}
}Notes
- In version 2.x, Elasticsearch had a total 13 meta fields available, which are: _index, _uid, _type, _id, _source, _size, _all, _field_names, _timestamp, _ttl, _parent, _routing, _meta
- In version 5.x, _timestamp and _ttl meta fields were removed.
- In version 6.x, the _parent meta field was removed.
- In version 7.x, _uid and _all meta fields were removed.
Overview
An Elasticsearch cluster consists of a number of servers (nodes) working together as one. Clustering is a technology which enables Elasticsearch to scale up to hundreds of nodes that together are able to store many terabytes of data and respond coherently to large numbers of requests at the same time.
Search or indexing requests will usually be load-balanced across the Elasticsearch data nodes, and the node that receives the request will relay requests to other nodes as necessary and coordinate the response back to the user.
Notes and good things to know
The key elements to clustering are:
Cluster State – Refers to information about which indices are in the cluster, their data mappings and other information that must be shared between all the nodes to ensure that all operations across the cluster are coherent.
Master Node – Each cluster must elect a single master node responsible for coordinating the cluster and ensuring that each node contains an up-to-date copy of the cluster state.
Cluster Formation – Elasticsearch requires a set of configurations to determine how the cluster is formed, which nodes can join the cluster, and how the nodes collectively elect a master node responsible for controlling the cluster state. These configurations are usually held in the elasticsearch.yml config file, environment variables on the node, or within the cluster state.
Node Roles – In small clusters it is common for all nodes to fill all roles; all nodes can store data, become master nodes or process ingestion pipelines. However as the cluster grows, it is common to allocate specific roles to specific nodes in order to simplify configuration and to make operation more efficient. In particular, it is common to define a limited number of dedicated master nodes.
Replication – Data may be replicated across a number of data nodes. This means that if one node goes down, data is not lost. It also means that a search request can be dealt with by more than one node.
Common problems
Many Elasticsearch problems are caused by operations which place an excessive burden on the cluster because they require an excessive amount of information to be held and transmitted between the nodes as part of the cluster state. For example:
- Shards too small
- Too many fields (field explosion)
Problems may also be caused by inadequate configurations causing situations where the Elasticsearch cluster is unable to safely elect a Master node. This situation is discussed further in:
Backups
Because Elasticsearch is a clustered technology, it is not sufficient to have backups of each node’s data directory. This is because the backups will have been made at different times and so there may not be complete coherency between them. As such, the only way to backup an Elasticsearch cluster is through the use of snapshots, which contain the full picture of an index at any one time.
Cluster resilience
When designing an Elasticsearch cluster, it is important to think about cluster resilience. In particular – what happens when a single node goes down? And for larger clusters where several nodes may share common services such as a network or power supply – what happens if that network or power supply goes down? This is where it is useful to ensure that the master eligible nodes are spread across availability zones, and to use shard allocation awareness to ensure that shards are spread across different racks or availability zones in your data center.
Log Context
Log “must not start with ‘_’.”classname is IndexNameExpressionResolver.java We extracted the following from Elasticsearch source code for those seeking an in-depth context :
// Expressions can not start with an underscore. This is reserved for APIs. If the check gets here; the API
// does not exist and the path is interpreted as an expression. If the expression begins with an underscore;
// throw a specific error that is different from the [[IndexNotFoundException]]; which is typically thrown
// if the expression can't be found.
if (expression.charAt(0) == '_') {
throw new InvalidIndexNameException(expression; "must not start with '_'.");
}
}
private static boolean aliasOrIndexExists(Context context; IndicesOptions options; Metadata metadata; String expression) {
IndexAbstraction indexAbstraction = metadata.getIndicesLookup().get(expression);
Find & fix Elasticsearch problems
