Metricbeat to logstash parsing error: illegal_state_exception & Can't get text on a START_OBJECT

parthmaniar · June 14, 2020, 6:55pm

Hello, I am using the following configuration to get metrics from a Raspebrry Pi (running Raspberry OS) using Metricbeat. It works flawlessly when I send the logs directly to elasticsearch. However, I want to move my ingest load to a dedicated devices running logstash. Whenever I change the output to logstash following is the error I get:

[2020-06-05T16:09:16,390][WARN ][logstash.outputs.elasticsearch][main][563a0d925db00a15e26e2833ed06a38cf68d194b06cb4411456ec679ab0fe6ff] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"gebbs", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x18c02de>], :response=>{"index"=>{"_index"=>"gebbs", "_type"=>"_doc", "_id"=>"O-QQhHIBnvxMCmxROA7n", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [host] of type [text] in document with id 'O-QQhHIBnvxMCmxROA7n'. Preview of field's value: '{hostname=financesrv, os={kernel=4.19.97-v7+, codename=buster, name=Raspbian GNU/Linux, family=debian, version=10 (buster), platform=raspbian}, containerized=false, name=financesrv, id=448535ae96d34b1799e964bd3cd3a439, architecture=armv7l}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:903"}}}}}



[2020-06-05T16:09:16,398][WARN ][logstash.outputs.elasticsearch][main][563a0d925db00a15e26e2833ed06a38cf68d194b06cb4411456ec679ab0fe6ff] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"gebbs", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x179915d>], :response=>{"index"=>{"_index"=>"gebbs", "_type"=>"_doc", "_id"=>"POQQhHIBnvxMCmxROA7n", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [host] of type [text] in document with id 'POQQhHIBnvxMCmxROA7n'. Preview of field's value: '{hostname=financesrv, os={kernel=4.19.97-v7+, codename=buster, name=Raspbian GNU/Linux, family=debian, version=10 (buster), platform=raspbian}, containerized=false, name=financesrv, id=448535ae96d34b1799e964bd3cd3a439, architecture=armv7l}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:873"}}}}}

Here is the logstash pipeline configuration:

input {
  beats {
    port => 5050
  }
}

output {
        elasticsearch {
            hosts => ["https://IP of elasticsearch:9200"]
            ssl => true
            user => 'ID'
            password => 'password'
            cacert => '/etc/logstash/elasticsearch-ca.pem'
            ssl_certificate_verification => false
            ilm_enabled => auto
            ilm_rollover_alias => "rpi-metricbeat"
            index => "%{[@metadata][beat]}-%{[@metadata][version]}"
        }
        #file {
        #    path => "/tmp/cowrie-logstash.log"
        #    codec => json
        #}
        #stdout {
            #codec => rubydebug
        #}
}

Badger · June 14, 2020, 7:40pm

Read this post and then this post.

system · July 12, 2020, 7:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mapper_parsing_exception error on logstash Logstash	3	1499	July 30, 2018
Running into problems moving from Logstash ingestion to Filebeat harvesting Elasticsearch	2	382	September 5, 2018
Can't get text on a START_OBJECT at 1:1043 Logstash	5	8819	September 5, 2019
Error parsing file from filebeat Logstash	2	907	June 11, 2019
Can't get text on a START_OBJECT Beats filebeat	3	4674	October 26, 2020

Metricbeat to logstash parsing error: illegal_state_exception & Can't get text on a START_OBJECT

Related topics