Failed to parse field [host] of type [text] after upgrade from 7.17 to 8.12

snakeapit · February 20, 2024, 11:41pm

Seeing this error below in logstash after upgrade from 7.17 to 8.12, data unable to index to Elasticsearch.

I'm new in Elastics, hopefully someone can assist here. Suspect the change in version 8.12 causing different type for the default field "host"

response=>{"index"=>{"status"=>400, "error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:888] failed 
to parse field [host] of type [text] in document with id 'XXX-XXX-CUCM-1_4_236ab2df-4e78-44e4-b759-53ad3c48b763'. Preview of field's value: '{na
me=teknslev02esl}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:865"}}}}}
[2024-02-16T15:34:32,095][WARN ][logstash.outputs.elasticsearch][cucm-cdr][cucm-cdr-output] Could not index event to Elasticsearch. {:status=>40
0,

Badger · February 21, 2024, 12:14am

See this thread.

Not sure what changed between 7.17 and 8.12. Perhaps the change in ECS compatibility described in the Breaking changes section of the 8.0 release notes.

snakeapit · March 11, 2024, 10:37pm

Thanks @Badger for your input. The issue resolved by adding the following to .conf file

mutate {
    rename => { "[host][name]" => "host" }
}

system · April 8, 2024, 10:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.