Ingest pipeline not working correctly?

iamtheliquor · October 26, 2020, 10:45am

Hi everybody,

We have two pipelines, that are identical, one is for staging and one is for production logs;

    {
      "staging_pipeline" : {
        "description" : "Staging Pipeline",
        "processors" : [
          {
            "grok" : {
              "field" : "message",
              "patterns" : [
                "%{GREEDYDATA:log}"
              ],
              "on_failure" : [
                {
                  "set" : {
                    "field" : "error",
                    "value" : "{{ _ingest.on_failure_message }}"
                  }
                }
              ]
            }
          },
          {
            "json" : {
              "field" : "log",
              "on_failure" : [
                {
                  "set" : {
                    "field" : "error",
                    "value" : "{{ _ingest.on_failure_message }}"
                  }
                }
              ]
            }
          }
        ]
      }
    }

The difference is literally the word staging is production.

In the staging environment this does what we expect, and creates fields called log.whatever.is.in.the.json. However, in production, we get the following error;

Provided Grok expressions do not match field value:

Then the contents of the message, which is all in standard json format, and we can verify that in the actual message field.

I don't know why it's complaining about the grok expression in one but not the other, as the pipelines are identical, as are the logs coming in. We have tried completely deleting the production pipeline and recreating it, but the same thing happens.

Any thoughts would be much appreciated.

spinscale · October 26, 2020, 12:25pm

can you provide a fully reprodicible example with both pipelines and a simulate pipeline call for each of them showing the problem? That would help a lot!

Thanks!

iamtheliquor · October 27, 2020, 10:36am

Okay, so I think I am doing this correctly, here is the example log coming from the application;

{"message":"Notified event \"kernel.request\" to listener \"Symfony\\Component\\HttpKernel\\EventListener\\ValidateRequestListener::onKernelRequest\".","context":{"event":"kernel.request","listener":"Symfony\\Component\\HttpKernel\\EventListener\\ValidateRequestListener::onKernelRequest"},"level":100,"level_name":"DEBUG","channel":"event","datetime":{"date":"2020-10-27 10:19:40.978821","timezone_type":3,"timezone":"UTC"},"extra":[]}`

Here is me simulating it through the pipelines;

Staging;

POST /_ingest/pipeline/staging_pl/_simulate
{
  "docs": [
    {
        "_index": "index",
        "_id": "id",
        "_source": {"message":"Notified event \"kernel.request\" to listener \"Symfony\\Component\\HttpKernel\\EventListener\\ValidateRequestListener::onKernelRequest\".","context":{"event":"kernel.request","listener":"Symfony\\Component\\HttpKernel\\EventListener\\ValidateRequestListener::onKernelRequest"},"level":100,"level_name":"DEBUG","channel":"event","extra":[]}
    }
  ]
}

Response;

{
  "docs" : [
    {
      "doc" : {
        "_index" : "index",
        "_type" : "_doc",
        "_id" : "id",
        "_source" : {
          "level_name" : "DEBUG",
          "level" : 100,
          "log" : """Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest".""",
          "extra" : [ ],
          "context" : {
            "listener" : """Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest""",
            "event" : "kernel.request"
          },
          "channel" : "event",
          "message" : """Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest".""",
          "error" : """Unrecognized token 'Notified': was expecting 'null', 'true', 'false' or NaN\n at [Source: org.elasticsearch.common.bytes.BytesReference$MarkSupportingStreamInputWrapper@322f9cd2; line: 1, column: 10]"""
        },
        "_ingest" : {
          "timestamp" : "2020-10-27T10:22:01.769671Z"
        }
      }
    }
  ]
}

Production;

POST /_ingest/pipeline/production_pl/_simulate
{
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {"message":"Notified event \"kernel.request\" to listener \"Symfony\\Component\\HttpKernel\\EventListener\\ValidateRequestListener::onKernelRequest\".","context":{"event":"kernel.request","listener":"Symfony\\Component\\HttpKernel\\EventListener\\ValidateRequestListener::onKernelRequest"},"level":100,"level_name":"DEBUG","channel":"event","extra":[]}
    }
  ]
}

Response;

{
  "docs" : [
    {
      "doc" : {
        "_index" : "index",
        "_type" : "_doc",
        "_id" : "id",
        "_source" : {
          "level_name" : "DEBUG",
          "level" : 100,
          "log" : """Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest".""",
          "extra" : [ ],
          "context" : {
            "listener" : """Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest""",
            "event" : "kernel.request"
          },
          "channel" : "event",
          "message" : """Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest".""",
          "error" : """Unrecognized token 'Notified': was expecting 'null', 'true', 'false' or NaN\n at [Source: org.elasticsearch.common.bytes.BytesReference$MarkSupportingStreamInputWrapper@463937d9; line: 1, column: 10]"""
        },
        "_ingest" : {
          "timestamp" : "2020-10-27T10:31:58.385232Z"
        }
      }
    }
  ]
}

Both response look exactly the same to me. They are complaining about something;

"error" : """Unrecognized token 'Notified': was expecting 'null', 'true', 'false' or NaN\n at [Source: org.elasticsearch.common.bytes.BytesReference$MarkSupportingStreamInputWrapper@463937d9; line: 1, column: 10]""" },

But still, staging populates the fields correctly, but production does not.

Perhaps I am not doing something right here?

system · November 24, 2020, 10:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ingest Pipeline for parsing multiline fields giving provided Grok expressions do not match field value error error Elasticsearch	2	293	August 6, 2023
Detecting JSON in Ingest pipeline Elasticsearch	2	2114	November 6, 2018
Issue with ingestion pipeline with conditional Elasticsearch painless , ingest-pipeline , runtime-fields	2	435	March 16, 2023
Failed json lines being ignored Beats filebeat	7	1158	August 6, 2018
Ingest pipeline KV processor failure Elasticsearch	3	2515	August 29, 2017

Ingest pipeline not working correctly?

Related Topics