Could not index event to Elasticsearch status 400

Hi All,

I am getting the following error while index a document:

[2018-10-02T08:00:11,897][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"clog-2018.10.02", :_type=>"doc", :_routing=>nil}, #LogStash::Event:0x23999e37], :response=>{"index"=>{"_index"=>"clog-2018.10.02", "_type"=>"doc", "_id"=>"mNRcM2YBN0hyJV_JzDLg", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:520"}}}}}

This of course is a problem. Is there a way to dump the document that is causing this error?

So it turns out you can set:

dead_letter_queue.enable: true
path.dead_letter_queue: /opt/logstash/dead_letter_queue

That will give you the messages that are cause 400 or 404 error while indexing.
(the path is not required, if not set it defaults to LOGSTASH_HOME/dead_letter_queue/main)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.