Logstash WARN: Could not index event to Elasticsearch .... Can't get text on a START_OBJECT

d.silwon · August 11, 2022, 10:17am

Dears,

I have some problem with json. When I send json log to logstash there are many errors like this:

Could not index event to Elasticsearch .... Can't get text on a START_OBJECT at 1:670

My json log looks like:

{"timestamp":"2022-08-11T10:25:47.866+0200","level":"INFO","logger":"q2","message":"Authorization message sent","sourceApp":"APPDH","data":[{"source":"csshi/192.168.13.12:10003","type":"send","payload":{"0":"1200","11":"403443","12":"220811102531","14":"2412","2":"459099______4152","22":"511501511328","23":"000","24":"200","26":"7011","3":"000000","32":"013203","35":"459099______4152=____________________","37":"222308403443","4":"000000002400","41":"00005009","42":"100189000001","43":"Lab \\street. Kochanowskiego 11\\Warsow\\11-164    POL","49":"985","52":"qlWqVQ==","55":"qlWqVQ==","7":"0811082531","94":"db1136d7-f121-48a1-bf06-1f6308acbf40"},"objectType":"isoRequest","processingId":"db1136d7-f121-48a1-bf06-1f6308acbf40"}]}

Filebeat configuration looks like:

- type: log
  enabled: true
  paths:
    - /app/log/q2.log
  tags: ["app","app-dev","dhjson"]
  json.keys_under_root: true
  json.add_error_key: true

Logstash configuration looks like:

...
  if "dhjson" in [tags] {
    date {
      match => ["timestamp", "YYYY-MM-dd'T'HH:mm:ss.SSS", "YYYY-MM-dd'T'HH:mm:ss.SSSZ"]
      timezone => "Europe/Warsaw"
      target => "@timestamp"
    }
  }
...
  else if "dhjson" in [tags] {
    mutate {
      replace => { "[@metadata][index_prefix]" => "appdev-%{+YYYY.MM.dd}" }
    }
  }

Any idea what can be wrong?
Can be a number as field name?

Best Regards,
Dane

leandrojmp · August 11, 2022, 12:29pm

You need to share the entire log error, not just part of it.

This error normally happens when you try to index an field that it is an json object, but the mapping for this field does not allow it, because it was not mapped as an object or you are using dynamic mapping and already indexed a field with the same name that was not an object.

Check this forum post about that message.

d.silwon · August 11, 2022, 1:32pm

@leandrojmp you are right. Firstly the field was a string, now log was change to json and the field is an object. Thanks a lot.

system · September 8, 2022, 1:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.