Large events don't reach elasticsearch

Hello,

We're using Filebeat -> Kafka -> Logstash -> Elasticsearch (Kibana).
for error messages we use multiline grouping from Filebeat - which obviously creates large events (around 50 lines, ~5000 characters).

I can find the event going through Filebeat, Kafka and Logstash by viewing the logs, with no errors (except json parsing warnings from logstash, but it repeats for other events and doesn't interrupt them from getting to elastic).

I'm not seeing any error logs from elastic when running with debug log level. where else can I look? will setting a watcher to some how track event size help?

Thanks ahead

I've fond this log from elasticsearch, not sure if the Mapping trace log is related to the main one which indicates about the size of the doc being indexed..

has anyone ever came across this issue?

[2023-08-30T10:15:22,886][DEBUG][o.e.a.b.TransportShardBulkAction] [node1] [stg_logs_2023.08.30][0] failed to execute bulk item (index) index {[stg_logs_2023.08.30][doc][BwjwRYoBp7N2OxCUymUE], source[n/a, actual length: [3.1kb], max length: 2kb]} org.elasticsearch.index.mapper.MapperParsingException: failed to parse field [trxId] of type [text] at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:303) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:488) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:505) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:395) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:384) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.index.mapper.DocumentParser.internalParseDocument(DocumentParser.java:96) ~[elasticsearch-6.6.1.jar:6.6.1

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.