Filebeat stops sending json logs midway. Version: 6.0.0-rc1

rohit-smpx · October 31, 2017, 12:37pm

I have some test logs in json format. The number of entries are 900+ in the file I'm testing. After a fresh installation, Filebeat starts sending the logs but after some time (a few minute) starts giving this err:

ERR Failed to publish events: temporary bulk send failure

Enabling debug logs, shows this :

DBG Bulk item insert failed (i=13, status=500): {"type":"string_index_out_of_bounds_exception","reason":"String index out of range: 0"}

The final count of documents in the index created in elasticsearch is 631, less than the 900+ in log file (Untitled-2.json in the logs attached). It has sometimes stopped as early as 100s.

The debug logs and the filebeat configuration are attached in this gist:

https://gist.github.com/rohit-smpx/79669da791f8ec76f93043ae9fb505d4

steffens · November 1, 2017, 12:25pm

Thanks for reporting. I wonder if the error happens when processing event from the syslog module or due to the json prospector. Either way, it might be a bug.

Can you test with only the syslog and only the json prospector being enabled? If one or the other fails can you try to reduce the log files, until we find a few events causing the issue?

steffens · November 1, 2017, 12:27pm

Also check the Elasticsearch logs. The full exception including a stack-trace should be available in the logs.

rohit-smpx · November 1, 2017, 12:56pm

I updated the gist to include the elasticsearch logs. I didn't see any ERR in there. I did check with the json prospector disabled, and there were no errors. I'll reduce the events and try again.

rohit-smpx · November 1, 2017, 1:34pm

gist.github.com

https://gist.github.com/rohit-smpx/5957d67d08f7a73c0d35c32b4da66df0

filebeat.log

2017-11-01T18:51:48+05:30 INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2017-11-01T18:51:48+05:30 INFO Beat UUID: 190f0fd5-5dc9-45b6-8eba-0d639183683e
2017-11-01T18:51:48+05:30 INFO Setup Beat: filebeat; Version: 6.0.0-rc2
2017-11-01T18:51:48+05:30 INFO Elasticsearch url: http://elastic.example.com:9200
2017-11-01T18:51:48+05:30 INFO Metrics logging every 30s
2017-11-01T18:51:48+05:30 INFO Beat name: rohit-VirtualBox
2017-11-01T18:51:48+05:30 INFO Elasticsearch url: http://elastic.example.com:9200
2017-11-01T18:51:48+05:30 INFO Connected to Elasticsearch version 6.0.0-rc2
2017-11-01T18:51:48+05:30 INFO For Elasticsearch version >= 6.0.0, the Kibana dashboards need to be imported via the Kibana API.
2017-11-01T18:51:48+05:30 INFO Kibana url: http://kibana.example.com:80

This file has been truncated. show original

Disabling syslog fixed it for now. I'll add some debug logs tomorrow.

rohit-smpx · November 2, 2017, 7:07am

This is fixed. In the filebeat conf I had set up the index name as

index: "filebeat.%{[table]}.%{+yyyy.MM}"

Where 'table' was a field in the json logs. But the syslog logs didn't have those, so I think the error was because of that. I changed it to this:

 indices:
    - index: "filebeat.%{[table]}.%{+yyyy.MM}"
      when.regexp:
        table: ".*"
  
  index: "filebeat.syslog.%{+yyyy.MM.dd}"

Now, the default index is syslog and if the log has a table field it will go to it's respective index.

steffens · November 2, 2017, 11:58am

Oh, seems like the index was not correctly set due to this. You can also use 'defaults' like this:

index: 'filebeat.%{[table]:syslog}.%{+yyyy.MM}'

rohit-smpx · November 2, 2017, 12:58pm

Thanks, will do

system · November 30, 2017, 12:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.