Can't get text on a START_OBJECT

jhansibalu · September 25, 2020, 6:06pm

Hi I am sending logs to kibana using filebeat ,and I am facing below error while sending logs .Some of the events doesn't have host in raw data facinf error for that events.

[2020-09-24T09:20:40,591][WARN ][logstash.outputs.elasticsearch][main] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filetest-", :routing=>nil, :_type=>"_doc"}, #LogStash::Event:0x6eb22ef8], :response=>{"index"=>{"_index"=>"filetest-", "_type"=>"_doc", "_id"=>"keBFwHQB9GB4WNUD5v0d", "status"=>400, "error"=>{"type"=>"mapper_parPreformatted textsing_exception", "reason"=>"failed to parse field [host.hostname] of type [keyword] in document with id 'keBFwHQB9GB4WNUD5v0d'. Preview of field's value: '{}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:603"}}}}}

my logstash config is:

input {
  beats {
    host => "192.168.1.242"
    port => 5526
  }
}
filter {

   grok {
       match => [
          "message", "%%{CISCO_REASON:network}-%{INT}-%{CISCO_REASON}:"
         "message", "(%{TIME}|%{TIMESTAMP_ISO8601}|%{YEAR}) %{HOSTNAME:host} %{WORD:[event][category]}.*?:%{GREEDYDATA:summary}" ]
       overwrite => ["host"]
    }
   mutate { rename => { "host" => "[host][hostname]" } }
}
 
output {
  elasticsearch {
hosts => ["192.168.1.242:9200"]
index => "filebeattest-"

  }
  stdout {
codec => rubydebug
  }
}

Thanks in advance.

warkolm · September 28, 2020, 3:25am

So it looks like there is no hostname there?

We've also explained this error here - Can't get text on a START_OBJECT

jhansibalu · September 28, 2020, 4:02pm

Thanks for your response but still have small issue , I tried with your solution added below configuration to my conf file

if ! [host][hostname] {
mutate { rename => { "[host]" => "[host][hostname]" } }
mutate { replace => { "[host]" => "%{[host][name]}"  } }
 }
}

I am getting below output for host.hostname field

host.hostname {"hostname":"euw2a-aero03"}

why it's taking hostname word along with value? Please help me on this

system · October 26, 2020, 6:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to parse the field Elasticsearch	2	698	October 26, 2020
Can't get text on a START_OBJECT at 1:708 Beats filebeat	2	331	July 26, 2020
Can't get text on a START_OBJECT at 1:1043 Logstash	5	8819	September 5, 2019
Failed to parse [host] error Logstash	3	801	January 24, 2019
Failed to parse field [host] of type [text] .. can't get text on a START_OBJECT at 1:974 Logstash beats-module	3	12888	June 30, 2020

Can't get text on a START_OBJECT

Related topics