Logs drop on field conflict

slavik57 · April 24, 2018, 8:31am

I am using ELK 5.5.0
When I send a log containing a field with conflicted type it doesn't show up in Kibana but I cannot find any error in the logs.

Example:

curl -H "content-type: application/json" -XPOST 'http://localhost:9191' -d '{
"message": "This is a log line",
"extrafield": 1
}'

curl -H "content-type: application/json" -XPOST 'http://localhost:9191' -d '{
"message": "This is a log line",
"extrafield": "no i am string"
}'

The first log sets the extrafield type to be a number.
The second log is simply ignored without any errors.

Am I missing a place where the errors can be written?

Christian_Dahlqvist · April 24, 2018, 8:44am

It seems like you are missing the index and type in your request. If I run the following:

curl -H "content-type: application/json" -XPOST 'http://localhost:9200/test/doc?pretty' -d '{
  "message": "This is a log line",
  "extrafield": 1
}'

curl -H "content-type: application/json" -XPOST 'http://localhost:9200/test/doc?pretty' -d '{
  "message": "This is a log line",
  "extrafield": "no i am string"
}'

I get an error in the response for the second request:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "mapper_parsing_exception",
        "reason" : "failed to parse [extrafield]"
      }
    ],
    "type" : "mapper_parsing_exception",
    "reason" : "failed to parse [extrafield]",
    "caused_by" : {
      "type" : "illegal_argument_exception",
      "reason" : "For input string: \"no i am string\""
    }
  },
  "status" : 400
}

slavik57 · April 24, 2018, 10:10am

Changed to:

curl -H "content-type: application/json" -XPOST 'http://localhost:9191/logs' -d '{
"message": "This is a log line",
"extrafield": 1
}'

curl -H "content-type: application/json" -XPOST 'http://localhost:9191/logs' -d '{
"message": "This is a log line",
"extrafield": "no i am string"
}'

Still same behaviour.

A_B · April 24, 2018, 10:15am

This should show up in Elasticsearch logs as an error.

To get around this you have to set index.mapping.ignore_malformed=true for extrafield

Christian_Dahlqvist · April 24, 2018, 10:18am

You are still not specifying the type, which is causing the requests to fail. Please try running the example I provided.

slavik57 · April 24, 2018, 10:27am

I am using logstash so it hid the message for me.
When i sent the request directly to elastic it showed the error

A_B · April 24, 2018, 12:10pm

One more thing. If you can avoid having different types of data for the same key, do it. I don't have much control of what format logs are sent to our Elastic Stack and over time this has become a serious pain.

Christian_Dahlqvist · April 24, 2018, 12:13pm

If you are using Logstash, you may want to enable the dead letter queue as I believe it would catch this scenario.

system · May 22, 2018, 12:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field type conflict where indices with conflicting type do not exist Kibana	5	548	December 8, 2021
Mapping Conflict with several types Kibana	5	1558	May 10, 2022
Mapping conflict! Elasticsearch	7	28997	July 5, 2017
Field type (Mapping) conflicts Kibana	3	2567	September 9, 2022
Field type conflict Kibana	2	2699	July 6, 2017

Logs drop on field conflict

Related Topics