Issue with logstash input elasticsearch plugin with ES 5.4

henrilabarre · May 9, 2017, 2:15pm

HI this conf works with ES 5.3

input {
  elasticsearch {
    hosts => "http://localhost:9200"
	index => "sirene"
	query => '{"query": {"query_string" : {"query": "(CODGEO:60471 AND provider:sp_mairie)"}}}'
  }
}
output {
  stdout { codec => json }
}

But fail with ES 5.4 with this error:

Error: [400] {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Failed to parse request body"}],"type":"illegal_argument_exception","reason":"Failed to parse request body","caused_by":{"type":"json_parse_exception","reason":"Unrecognized token 'DnF1ZXJ5VGhlbkZldGNoBQAAAAAAABHMFm84Mm84SFpzU3VHSzdWMHdWQ3N3NGcAAAAAAAARzhZvODJvOEhac1N1R0s3VjB3VkNzdzRnAAAAAAAAEc8WbzgybzhIWnNTdUdLN1Ywd1ZDc3c0ZwAAAAAAABHQFm84Mm84SFpzU3VHSzdWMHdWQ3N3NGcAAAAAAAARzRZvODJvOEhac1N1R0s3VjB3VkNzdzRn': was expecting ('true', 'false' or 'null')\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@d38650b; line: 1, column: 457]"}},"status":400}

Thanks for your help

theuntergeek · May 9, 2017, 3:30pm

I would change your query to be regular syntax and not use query_string syntax. It's not listed as a breaking change for 5.4, but I think that they're getting away from using Lucene query_string as it has a profound ability to do bad things to clusters.

If you were to run the same query against 5.4 from the command-line (via curl, for instance) you would get the same result (a 400 error), I think. As such, this may be more a question for the Elasticsearch forum than the Logstash one.

henrilabarre · May 9, 2017, 3:32pm

Hi!

With curl it's working (so I guess it's a logstash question)...
I will try to change the query in order not to use the query_string (this is still in the 5.4 docs https://www.elastic.co/guide/en/elasticsearch/reference/5.4/query-dsl-query-string-query.html) . What format do you recommend?

Best

theuntergeek · May 9, 2017, 4:05pm

Hmm. But it is Elasticsearch that is responding with the 400 error...

Regardless, I would use filters, first and foremost, as you are looking for exact term values. Performing a query instead of a filter here is less efficient. An example is here.

henrilabarre · May 9, 2017, 4:26pm

Thanks I will try this way! And move this post to the elastisearch forum

henrilabarre · May 11, 2017, 7:45am

resolved here https://github.com/logstash-plugins/logstash-input-elasticsearch/issues/66

system · June 8, 2017, 7:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash with elasticsearch input loops results and always gives the error " Failed to parse request body " Logstash	2	1987	May 4, 2017
Logstash elasticsearch input Logstash	2	726	June 9, 2017
Sample setting with elasticsearch input plugin doesn't work Logstash	2	1193	June 20, 2017
Logstash raising json_parse_exception when input events are coming from elastisearch Logstash	2	957	August 19, 2017
Logstash input elasticsearch plugin throws error Logstash	2	589	October 25, 2017

Issue with logstash input elasticsearch plugin with ES 5.4

Related topics