Skip to content

[BUG] Rule query index template misses log types with empty mappings (e.g. apache_access) #1640

Open
#1641
Open
[BUG] Rule query index template misses log types with empty mappings (e.g. apache_access)#1640
#1641
Labels
bugSomething isn't working
@hyanggeun

Description

@hyanggeun
hyanggeun
opened on Feb 3, 2026

What is the bug?
Description
RuleTopicIndices builds the index_patterns for the rule query index template using LogTypeService.getAllLogTypes().
This method is based on a terms aggregation over FieldMappingDoc.log_types, so log types with empty mappings are excluded.

Example: apache_access is a built‑in log type, but its OSMapping/apache_access_logtype.json has an empty mappings array, so it does not appear in the log_types aggregation and is therefore missing from .opensearch-sap-detectors-queries-index-template.

As a result, when a rule query index is created for apache_access, the settings from detector-settings.json (including rule_analyzer) are not applied, and monitor creation fails when it tries to PUT the mapping. The error log below shows this:

[2026-02-02T07:06:45,659][ERROR][o.o.a.u.DocLevelMonitorQueries] [manager1] unknown exception during PUT mapping on queryIndex: .opensearch-sap-apache_access-detectors-queries-optimized-1ef37621-6d48-40a5-b50a-3ddf59086b79-000001, retrying with deletion of query indexjava.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings    at org.opensearch.index.mapper.ParametrizedFieldMapper$Parameter.lambda$analyzerParam$0(ParametrizedFieldMapper.java:521) ~[opensearch-3.4.0.jar:3.4.0]    ...

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Create a detector of type apache_access (dedicated query indices enabled or disabled).
  2. Inspect the generated rule query index (e.g. .opensearch-sap-apache_access-detectors-queries*).
  3. Check whether the index settings/mappings include rule_analyzer.

What is the expected behavior?

All built‑in log types (all log types present in metadata) should have their rule query indices created with the common settings from .opensearch-sap-detectors-queries-index-template, including rule_analyzer.

What is your host/environment?

  • OS: docker
  • Version [e.g. 22]
  • Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions