Hi everyone,
Today, I check log from logstash-plain.log and I see many event was spam from one error like that:
[2019-11-12T16:03:53,696][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"pfsense-2019.11.12", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x2ee2f488>], :response=>{"index"=>{"_index"=>"pfsense-2019.11.12", "_type"=>"_doc", "_id"=>"fI7aXm4BoRxUhT6C4-Ah", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [rule] of type [text] in document with id 'fI7aXm4BoRxUhT6C4-Ah'. Preview of field's value: '{firedtimes=89, level=1, groups=[syslog, errors], comment=Unknown problem somewhere in the system., sidid=1002}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:270"}}}}}
[2019-11-12T16:03:53,696][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"pfsense-2019.11.12", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x5bcd95a7>], :response=>{"index"=>{"_index"=>"pfsense-2019.11.12", "_type"=>"_doc", "_id"=>"fY7aXm4BoRxUhT6C4-Ah", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [rule] of type [text] in document with id 'fY7aXm4BoRxUhT6C4-Ah'. Preview of field's value: '{firedtimes=30, level=1, groups=[local, syslog], comment=Multi Unknown problem somewhere in the system, sidid=100037, frequency=2}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:270"}}}}}
[2019-11-12T16:03:53,697][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"pfsense-2019.11.12", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x739b5fd4>], :response=>{"index"=>{"_index"=>"pfsense-2019.11.12", "_type"=>"_doc", "_id"=>"fo7aXm4BoRxUhT6C4-Ah", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [rule] of type [text] in document with id 'fo7aXm4BoRxUhT6C4-Ah'. Preview of field's value: '{firedtimes=94, level=1, groups=[syslog, errors], comment=Unknown problem somewhere in the system., sidid=1002}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:270"}}}}}
[2019-11-12T16:03:53,697][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"pfsense-2019.11.12", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0xc7ba976>], :response=>{"index"=>{"_index"=>"pfsense-2019.11.12", "_type"=>"_doc", "_id"=>"f47aXm4BoRxUhT6C4-Ah", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [rule] of type [text] in document with id 'f47aXm4BoRxUhT6C4-Ah'. Preview of field's value: '{firedtimes=96, level=1, groups=[syslog, errors], comment=Unknown problem somewhere in the system., sidid=1002}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:270"}}}}}
My logstash version: 7.3.1
Please help me to clarify where is bug and how to debug.
I'm looking forward to hearing from you soon