Logstash could not index event, how to view what server send the event

Hi,

We are currently receiving quite some errors relating to the same issue:

[2023-03-27T15:13:43,994][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-8.4.2-2023.03.27", :_type=>"doc", :routing=>nil}, #<LogStash::Event:0xae9e3d9>], :response=>{"index"=>{"_index"=>"filebeat-8.4.2-2023.03.27", "_type"=>"doc", "_id"=>"1Tg0I4cBwp24Jwa8A00Q", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [params.value] of type [keyword] in document with id '1Tg0I4cBwp24Jwa8A00Q'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:2731"}}}}}

Now i understand that params.value is expecting a type of keyword but is receiving an object.
We have a lot of servers with filebeat connected to logstash.

Is there a way i can view what server is sending these events that containt this error?

Do you have anything in the message that would indicate the server? The raw message is also logged in this case and you could check on it.

Since it is an error 400 you could also enable the DLQ to store those messages and consume it later to investigate further.

Unfortunately no indication of the server in the error messages.

DLQ sounds like it could help me fix my problem.
I will look into that thanks for the information.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.