Get the raw log which can't index to elastic search

jamecollins · August 7, 2021, 12:55am

I have error on logstash:

[2021-08-07T00:24:08,330][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2021.08.07", :_type=>"doc", :_routing=>nil}, #LogStash::Event:0x1c23aef3], :response=>{"index"=>{"_index"=>"logstash-2021.08.07", "_type"=>"doc", "_id"=>"cvn-HXsBe0gI7rJ74b5a", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [timestamp]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: "2021-08-07 00:24:06" is malformed at " 00:24:06""}}}}}

I want to find the raw log of this error. I'm use filebat ship the log to logstash and index this to elastic. I have try to search the id cvn-HXsBe0gI7rJ74b5a on elastic but not found.

matw · August 9, 2021, 8:40am

Hi and welcome to our community
This is more Elasticsearch / logstash question, since Kibana, the UI can't find documents that have not been indexed. In this case it seems the timestamp you're trying to ingest in Elasticsearch is not working, so you have to find out, which part of you pipleline modifies it

since you're shipping
Filebeat -> Logstash -> Elasticsearch , I would have a closer look at you Logstash configuration, since the timestamp Filebeat is generating should be fine (you could also ship, Filebeat -> Elasticsearch BTW)

Best,
Matthias

system · September 6, 2021, 8:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.