Failed to expand fields: cannot expand "field" found conflicting key

nobeerhere · March 3, 2023, 9:54am

hi there

I am using ECS logging for Java and so far it worked fine. I now have the issue that the log structure changed a bit (field trace.id & transation.id are new) and i am having a conflicting key value. This also makes sense to me but i am cant figure out how i can fix this issue.

JSON-Log:

{
	"@timestamp": "2023-03-03T00:34:57.520Z",
	"log.level": "INFO",
	"message": "some message",
	"ecs.version": "1.2.0",
	"service.name": "srv-core",
	"event.dataset": "srv-core",
	"process.thread.name": "http-nio-14002-exec-4",
	"log.logger": "some logger",
	"path": "some path",
	"trace": "izlev4",
	"trace.id": "4e57fa5f3d47e9b54f8a17d1b83d92cd",
	"transaction.id": "99cb6deeb2cf431a",
	"ip": "ip",
	"user": "email",
	"tenant": "test-ag1"
}

As far as i understand the issue we do have two rook fields "trace" which differ in their type.

Filebeat 8.3.3 config:

- type: filestream

  id: filestream

  enabled: true

  paths:
    - log.json

  parsers:
    - ndjson:
        target: ""
        overwrite_keys: true
        add_error_key: true
        expand_keys: true

i tried to drop the field trace, but this is somehow not working properly. What options do i have?

Thanks for helping out.

nobeerhere · March 3, 2023, 1:56pm

In the meantime i have found the reason that changed the log structure. We also upgraded to APM Agent 1.35.0 and this agent created these two new fields.

If i downgrade to the older version the new fields disappear and the log ingesting is working again.

But maybe someone still has a hint on how i could fix my issue.

stephenb · March 4, 2023, 7:26pm

Yup that is right this is in valid

	"trace": "izlev4",
	"trace.id": "4e57fa5f3d47e9b54f8a17d1b83d92cd",
	"transaction.id": "99cb6deeb2cf431a",

How? Show the code....

What is the error message... you probably have a mapping where trace is a keyword... so trace.id which is an object with a field will fail with a mapping error...

You may need to create a new index so the proper mapping can be applied.

Show the code... show the error perhaps we can help.

system · April 1, 2023, 9:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ndjson.expand_keys doesn't seem to work Beats filebeat	5	479	September 7, 2022
How to stop Filebeat from shipping incorrect JSON to Elastic? Beats ecs-elastic-common-schema , filebeat	2	25	November 13, 2024
Filebeat failing to parse docker json-file logs Beats docker , filebeat	2	1171	March 15, 2022
Issue with JSON logs and field 'log.level' Beats filebeat	3	416	July 30, 2019
ERROR instance/beat.go:971 Exiting: error initializing processors: unexpected expand_keys option in processors.1.decode_json_fields Beats filebeat	5	861	June 19, 2021

Failed to expand fields: cannot expand "field" found conflicting key

Related topics