Failed to parse error for certain records

bkasrai · June 7, 2019, 4:13pm

Good morning all, I am ingesting some logs and while specific records make it over, I am seeing errors in the logs and they are not making it over to Kibana outside of your standard fields (doc_id, index, time, etc) I have provided my conf.d below along with the errors and logs that are being used for ingestion. Any information to rectify this would greatly be appreciated.

logstash conf.d

input {
 file {
   path => "/var/log/logstash/casb_storage/proofpoint/10KLines.txt"
   sincedb_path => "/var/log/logstash/sincedb_path/proofpoint_pos_file"
   start_position => "end"
   mode => "tail"
 }
}

filter {
  grok { match => { "message" => "\[(?<timestamp>[^\]]+)\] %{GREEDYDATA:proofpoint}" }
   }

   kv {
     source => "proofpoint"
     field_split => " "
     include_brackets => true
     recursive => "true"
     value_split => "="
     whitespace => "strict"
   }


date { locale => "en"
match => [ "timestamp","YYYY-MM-dd HH:mm:ss.SSSSSS ZZ" ] }

   mutate {
     remove_field => [ "proofpoint","message", "syslog_hostname","path","@index","@version","host","port","tags" ]
   }
}

output {
   elasticsearch {
     hosts => [ "http://es.server:9200" ]
     user =>  "elastic"
     password => "elastic_test_p@ssw0rd"
     index => "proofpoint-%{+YYYY.MM}"
   }
}

Errors in logs (this is repetitive for a lot of different fields)

[    WARN ] 2019-06-07 10:31:18.198 [[main]>worker8] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"proofpoint-2019.06", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x67d691f3>], :response=>{"index"=>{"_index"=>"proofpoint-2019.06", "_type"=>"_doc", "_id"=>"GD6QMmsBh_NbzFsD0AjZ", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [dict] of type [text] in document with id 'GD6QMmsBh_NbzFsD0AjZ'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:102"}}}}}
    [WARN ] 2019-06-07 10:31:18.199 [[main]>worker5] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"proofpoint-2019.06", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x5824460d>], :response=>{"index"=>{"_index"=>"proofpoint-2019.06", "_type"=>"_doc", "_id"=>"fD6QMmsBh_NbzFsD0AXK", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [version] tried to parse field [version] as object, but found a concrete value"}}}}

Logs for ingestion-

[2019-06-06 17:06:18.402388 -0400] rprt s=2sunues3yv m=1 x=2sunues3yv-1 mod=av cmd=run rule=clean vendor=fsecure version="vendor=fsecure engine=2.50.10434:,, definitions=2019-06-06_14:,, signatures=0" duration=0.000
[2019-06-06 17:08:03.667159 -0400] info mod=regulation type=mail cmd=refresh id=0 action=load dict=CJ27_ExtClass_B file=/opt/server/pps-8.0.1.1446/etc/regulation/user/CJ27_ExtClass_B

Badger · June 7, 2019, 5:11pm

One of those messages results in

   "version" => {
         "engine" => "2.50.10434:,,",
    "definitions" => "2019-06-06_14:,,",
     "signatures" => "0",
         "vendor" => "fsecure"
},

and the other in

      "dict" => "CJ27_ExtClass_B",

I believe those errors are trying to tell you that you have already ingested documents in which [dict] is a hash (like [version] is above), and in which [version] is a string (like [dict] is above). A field cannot be both -- once its type is set elasticsearch cannot map documents that have the wrong type.

bkasrai · June 9, 2019, 7:01pm

Thanks @Badger. Would it be safe to assume this could be tied to my template that I created? Should I explicitly map these fields? or clear the index and try to re-create the index with a modified dynamic template?

Badger · June 10, 2019, 12:16am

No, that is not a safe assumption. If the template is wrong it could cause this. For example, if it specifies that version is a string when it is always an object. However, it is also possible that you data structure is inconsistent, so that version (and dict) are sometimes strings and sometimes objects.

If that is the case then you would need a ruby filter that would check to see if the value of dict/version is an instance of a string, and if so, replace it with a hash that contains the value. Something like

    ruby {
        code => '
            [ "dict", "version" ].each { |x|
                xvalue = event.get(x)
                if xvalue and xvalue.kind_of?(String)
                    event.set(x, { x => xvalue })
                end
            }
        '
    }

bkasrai · June 11, 2019, 4:29pm

Thanks Badger-I will work on this and see if i can determine where the issue with this is based off of your feedback. I will tell you for now that the data structure for these logs are inconsistent thus making my life a bit difficult so I do appreciate the help as always.

system · July 9, 2019, 4:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to parse field [host] of type [text] Logstash docker	4	31	October 28, 2024
Logstash doesn't parse message into separate parts Logstash	5	7	November 3, 2024
Mapper parsing exception - failed to parse field Logstash	10	6991	May 8, 2022
Logstash Fail to Index Events due to field type Logstash	2	34	July 25, 2024
Logstash pipeline error during parsing of Logs Logstash	1	96	May 17, 2024

Failed to parse error for certain records

Related Topics