Getting error when i try to import the Json file

raki1205 · November 30, 2016, 8:43pm

Hi,
I'm new to elastic search. When i try to load a json file using CURl, I'm getting an error

ERROR
$ curl -XPUT xxxxxxxxxx:9200/_bulk --data-binary @FSAudit.log-2016-11-30-001.part.json
{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [$date]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [$date]"},"status":400}

While the Index is getting created properly. Index i created is below.

INDEX
curl -XPUT http://xxxxxxxxx:9200/fsaudit -d '
{
"mappings" : {
"default" : {
"properties" : {
"@timestamp" : { "type" : "date" },
"timestamp":{"properties":{"$date":{"type":"date","format":"strict_date_optional_time||

epoch_millis"}}},
"operation" : {"type": "string" },
"user" : { "type" : "string" },
"uid" : { "type" : "integer" },
"ipAddress" : { "type" : "string" },
"nfsServer" : { "type" : "string" },
"parentPath" : { "type" : "string" },
"parentFid" : { "type" : "string" },
"childPath" : { "type" : "string" },
"childFid" : { "type" : "string" },
"childName" : { "type" : "string" },
"VolumeName" : { "type" : "string" },
"volumeId" : { "type" : "integer" },
"status" : { "type" : "integer" }
}
}
}
}
';

Please help us in rectifying the issue.

Thanks,
Rakesh

Mark_Harwood · December 1, 2016, 11:34am

We need to see line 1 of the FSAudit.log-2016-11-30-001.part.json file

raki1205 · December 1, 2016, 4:11pm

Hi Mark,

Below is my few contents of the Json file.

{"timestamp":{"$date":"2016-11-30T06:00:33.362Z"},"operation":"ENABLEAUDIT","user":"mapr","uid":5000,"ipAddress":"x.x.x.x","srcPath":"/audit/myaudit/","srcFid":"9155.16.2","VolumeN
ame":"myaudit","volumeId":181245567,"status":0}
{"timestamp":{"$date":"2016-11-30T06:05:31.223Z"},"operation":"MKDIR","user":"root","uid":0,"ipAddress":"127.0.0.1","nfsServer":"x.x.x.x","parentPath":"/audit/myaudit/","parentFid"
:"9155.16.2","childPath":"/audit/myaudit/testdir","childFid":"9155.32.131394","childName":"testdir","VolumeName":"myaudit","volumeId":181245567,"status":0}

Thanks in Advance..

Mark_Harwood · December 1, 2016, 4:14pm

Wrong format?
This looks to be all data, and no actions - see https://www.elastic.co/guide/en/elasticsearch/reference/5.0/docs-bulk.html

raki1205 · December 1, 2016, 4:54pm

Mark,

But I'm getting the error for the date .Is it something to do with the data?

Thanks

Mark_Harwood · December 1, 2016, 4:58pm

Yes. "Date" is not an action - it's data.
A bulk file is:

action
data

action
data

action
data

Actions are either index, delete or update commands so you need to prefix each data doc with an action instruction. The document I linked to describes this format.

raki1205 · December 2, 2016, 6:31pm

Thanks Mark..It worked

system · December 30, 2016, 6:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.