Blank message field

matheus.santoro · August 10, 2020, 4:37pm

Trying to create a simple, non-filtered pipeline, but Kibana shows the message field as blank

Pipeline conf is

input {
  tcp {
    port => 9600
    codec => json
    mode => server
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "myindex"
  }
}

When starting Logstash the following message is displayed

[WARN ] 2020-08-10 16:33:02.698 [[main]>worker0] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"myindex", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0xbba272>], :response=>{"index"=>{"_index"=>"myindex", "_type"=>"_doc", "_id"=>"oJs32XMBjyfMsZpZ2EjQ", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [message] tried to parse field [message] as object, but found a concrete value"}}}}

Other fields are being mapped, but I would like to see the full message as wel...

Badger · August 10, 2020, 5:20pm

Does this help?

matheus.santoro · August 10, 2020, 6:40pm

This is the mapping of the message field:

      },
        "message" : {
          "properties" : {
            "someField" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            }
          }
        },

Tried to change/add this mapping with

{
  "properties": {
    "message": {
      "type": "object"
    }
  }
}

My point is - I am missing some information on the fields ES is detecting, so I would like to see the full message. Am I in the right direction?

Thank you

Badger · August 10, 2020, 7:21pm

If I am reading that correctly then elasticsearch expects the field

[message][someField]

to exist. That makes [message] an object, not a string. You could try

if ![message][someField] { mutate { rename => { "message" => "originalMessage" } } }

matheus.santoro · August 10, 2020, 9:12pm

Thanks @Badger after applying the filter you suggested, the messages are being displayed on the doc.

However, every line of this message generates a new doc, instead of showing the full message in the same doc. Is there any way we can group these lines into a single message?

** Edit: These docs share a common field, i.e. execution.execid - Is there a way to aggregate all messages into the same doc, based on this ID?

Thanks

Badger · August 10, 2020, 9:17pm

I have no idea why that could be happening, so no suggestions on how to fix it.

Topic		Replies	Views
org.elasticsearch.index.mapper.MapperParsingException: object mapping for [message] tried to parse field [message] as object, but found a concrete value Logstash	11	4399	June 21, 2019
Two fields with different values in Kibana Kibana	4	609	December 8, 2016
Elasticsearch not saving all fields from logstash Logstash	2	442	July 23, 2021
Logstash: ingest only message on elasticsearch Logstash	2	556	December 2, 2019
Error sending message to elastic via logstash (Can't get text on a START_OBJECT) Logstash	1	1708	October 5, 2018

Blank message field

Related topics