Briefly, this error occurs when Elasticsearch is trying to execute a sequence query that requires a [maxspan] parameter, but it is not provided. The [maxspan] parameter is used to specify the maximum timespan within which the sequence of events should occur. To resolve this issue, you should include the [maxspan] parameter in your sequence query. Make sure to specify it in the correct format, which is a time value such as “1h”, “15m”, “30s”, etc.
This guide will help you check for common problems that cause the log ” [maxspan] is required for sequences with missing events queries; found none ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: parser, plugin.
Log Context
Log “[maxspan] is required for sequences with missing events queries; found none” class name is LogicalPlanBuilder.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :
} else {
until = defaultUntil(source);
} if (maxSpan.duration() < 0 && queries.stream().anyMatch(x -> x.isMissingEventFilter())) {
throw new ParsingException(source; "[maxspan] is required for sequences with missing events queries; found none");
} if (queries.stream().allMatch(KeyedFilter::isMissingEventFilter)) {
throw new IllegalStateException("A sequence requires at least one positive event query; found none");
}
[ratemypost]
