Mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}

ranjini · September 27, 2023, 3:07pm

Please suggest me if there is a work around.

[2023-09-27T14:56:22,072][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}[2023-09-27T14:56:22,094][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}[2023-09-27T14:57:04,252][WARN ][logstash.outputs.opensearch][main][e88d14ed9d066b8862ff8822a615df883a8bf8bbb6c29a8ac8b57886c0a9c6a9] Could not index event to OpenSearch.{:status=>400, :action=>["index", {:_id=>"%{fingerprint}", :_index=>"abb-abo-abb1-xlm-2023.09.27", :routing=>nil}, {"HostIp"=>["10.10.188.18", "10.10.188.18", "10.10.188.18"], "message"=>"[140206525253504] 09/27/2023 14:57:03 [E]  OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. Peer: 10.10.188.18:11890","ActualMsg"=>["OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. Peer: 10.10.188.18:11890", "OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. ", "OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. Peer: 10.10.188.18:11890", "OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. ", "OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. "], "Port"=>["11890", "11890", "11890"], "type"=>"abbmq", "aboach"=>["140206525253504", "140206525253504"], "event"=>{"hash"=>"f1bdbaaa1a05e04bf486856cf41e796d63d4d5d4", "original"=>"[140206525253504] 09/27/2023 14:57:03 [E]  OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. Peer: 10.10.188.18:11890"}, "partition"=>"abb1", "@version"=>"1", "podName"=>"abb","tags"=>["_dateparsefailure"], "@timestamp"=>2023-09-27T14:57:04.119983481Z, "log"=>{"file"=>{"path"=>"/var/abb/abbmq/logs/abbmq.log"}}, "host"=>"[host][name]", "nodeRole"=>"abb-abo-abb1-xlm", "productCode"=>"abb-abo", "loglevel"=>["E", "E"]}], :response=>{"index"=>{"_index"=>"abb-abo-abb1-xlm-2023.09.27", "_id"=>"%{fingerprint}", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}

Below is my grok

input {
  file {
      path => "/var/abb/abbmq/logs/abbmq.log"
      start_position => "beginning"
      type => "abbmq"
    }
}
filter {
      if [type] == "abbmq"{
                grok
                {
                        match => {"message" => "^\[%{INT:Epoach}\]%{SPACE}%{DATE_US:LogTimestamp}%{SPACE}%{HOUR:hr}:%{MINUTE:min}:%{SECOND:sec} \[%{WORD:loglevel}\]%{SPACE}%{GREEDYDATA:ActualMsg}"}

                }
                if [ActualMsg]
                {
                        grok
                        {
                                # Get fields from actualMsg
                                match => {"ActualMsg" => "^%{GREEDYDATA:ActualMsg}\Peer.%{SPACE}%{IP:HostIp}\:%{INT:Port}"}
                        }
                        date
                        {
                                locale => "en"
                                match => [ "LogTimestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
                                timezone => "UTC"
                                target => "@timestamp"
                        }
                        mutate
                        {
                                remove_field => [ "LogTimestamp"]
                        }
                        mutate
                        {
                                remove_field => [ "hr", "min", "sec" ]
                        }
                      }
                      }
                      }

I tried to add the below
mutate {
replace => { "[host]" => "[host][name]" }
}
but still as issue.

I appreciate your help.

system · September 27, 2023, 3:07pm

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

stephenb · September 27, 2023, 3:34pm

Hi @ranjini It looks like you are connecting to OpenSearch not Elasticsearch so you should really go to their forums, you will not get much help here.

Also your logsstash is wrong you can see "host"=>"[host][name]", this in the error

replace is not correct you want to use rename

    mutate {
        rename => {"shortHostname" => "hostname"}
    }

And if you want to understand the error you can take a look at this

ranjini · September 28, 2023, 12:27pm

Thank you @stephenb for helping. Appreciate your help. I removed the host field.

system · October 26, 2023, 12:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.