Logstash to Elasticsearch there is 10-20min for delay, also not all logs are indexed

mayank_singh · June 16, 2023, 2:54pm

Hi,
I am sending logs from Logstash to Elasticsearch. The Elasticsearch seems to be working fine but there is 10-20mins of delay in logs index also getting below error on logstash, any help would be greatly appreciated.

[2023-06-16T14:36:50,078][WARN ][logstash.outputs.elasticsearch][main][044debbbdfef92ace7e72d6a3ec877042a9516199b68b4ae9f8ddd3c0a5bc642] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2023.06.16", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x42680064>], :response=>{"index"=>{"_index"=>"logstash-2023.06.16", "_type"=>"_doc", "_id"=>"VKujxIgBjcUFivZxMzvM", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [timestamp] of type [date] in document with id 'VKujxIgBjcUFivZxMzvM'. Preview of field's value: '1686925083.1633325'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to parse date field [1686925083.1633325] with format [strict_date_optional_time||epoch_millis]", "caused_by"=>{"type"=>"date_time_parse_exception", "reason"=>"date_time_parse_exception: Failed to parse with all enclosed parsers"}}}}}}

Badger · June 16, 2023, 4:43pm

I cannot speak to the delay without seeing more of the configuration, but I think the failure to parse '1686925083.1633325' as [strict_date_optional_time||epoch_millis] is because that time is in epoch_second, not epoch_millis.

Rios · June 17, 2023, 10:49am

Just to add, I assume issues are: grok(especially if there is too many GREEDYDATA) and mapper_parsing_exception.

Hemanth_Gowda · June 17, 2023, 3:20pm

Please check if you have refresh interval set to your index which is causing the delay.

system · July 15, 2023, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.