Json message not available in the ELK-stack

twan · July 19, 2018, 2:14pm

Hi there,

We've ran into a problem within our ELK-stack. We have an application that logs in json format.
When there is an error the application adds an field called "stack_trace". In this field is the stack trace parsed (obviously).

We use the JSON filter plugin for Logstash. If the stack_trace field is present with an very big stack trace, the event is not send to Elasticsearch, and we also cannot find it on the persistent queue.

Is there a limit to what size a single field in the JSON message can be?
If there is a small stack trace in the field, the message is send to ES.

Or can it be that the whole message is getting to large with a big stack trace in it?

There is no error in the logging of Filebeat, Logstash, Elasticsearch regarding this problem.
We are running version 6.3.1 of the Elastic stack.

If you need more information, please ask

Badger · July 19, 2018, 8:44pm

The field is not sent, or the event is not sent? Are you saying the event is put into elasticsearch without the over-sized stack trace?

twan · July 20, 2018, 8:54am

Ah sorry, the complete event is not send to Elasticsearch.

twan · July 26, 2018, 1:06pm

Does anyone know why this is happening?

system · August 23, 2018, 1:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON filter swallowing events with no errors Logstash	3	249	June 3, 2021
Newbie question -- ELK 6.2, Logstash error status 400 Logstash	12	1679	August 3, 2018
JSON Filter Making Events Disappear Logstash	8	1001	December 23, 2020
[SOLVED] How to manage HUGE log messages sent to ELK stack over-the-wire? Logstash	3	1771	April 8, 2017
If _jsonparsefailure in [tags] Logstash	4	8796	February 26, 2017

Json message not available in the ELK-stack

Related topics