org.elasticsearch.index.mapper.MapperParsingException: failed to parse [error]

alexus · December 28, 2017, 5:19pm

I followed MySQL module | Filebeat Reference [6.1] | Elastic to configure filebeat's module:

[root@7svdbm01 ~]# cat /etc/filebeat/modules.d/mysql.yml 
- module: mysql
  # Error logs
  error:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/log/mariadb/mariadb.log"]

  # Slow logs
  slowlog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/lib/mysql/7svdbm01-slow.log"]
[root@7svdbm01 ~]#

yet getting following error in elasticsearch's log:

[2017-12-27T21:31:24,312][DEBUG][o.e.a.b.TransportShardBulkAction] [filebeat-6.1.1-2017.12.27][0] failed to execute bulk item (index) BulkShardRequest [[filebeat-6.1.1-2017.12.27][0]] containing [index {[filebea
t-6.1.1-2017.12.27][doc][XbP1mmABalgviv2OvS2X], source[{"@timestamp":"2017-12-28T02:31:22.211Z","offset":7687579,"beat":{"hostname":"7svdbm01.uftwf.local","name":"7svdbm01.uftwf.local","version":"6.1.1"},"prospe
ctor":{"type":"log"},"source":"/var/lib/mysql/7svdbm01-slow.log","message":"# Time: 171227 21:31:19","fileset":{"module":"mysql","name":"slowlog"},"error":{"message":"Provided Grok expressions do not match field
 value: [# Time: 171227 21:31:19]"}}]}]
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [error]
.....
Caused by: java.lang.IllegalStateException: Can't get text on a START_OBJECT at 1:312
.....

It looks like has something to do with mapping, however template seems to be set fine:

# curl --silent --request GET elasticsearch:9200/_cat/templates/filebeat-*
filebeat-6.1.1 [filebeat-6.1.1-*] 1 
filebeat-6.1.0 [filebeat-6.1.0-*] 1 
#

Please advise.

steffens · January 4, 2018, 12:39pm

It's not the mapping, but the grok pattern not matching # Time: 171227 21:31:19. The message is somewhat short... I think this should be a multiline event, not just the timestamp. Can you check the slow log entry having some actual contents, besides the timestamp?

alexus · January 8, 2018, 9:20pm

following is grep line with additional before and after line of /var/lib/mysql/7svdbm01-slow.log:

[root@7svdbm01 ~]# grep -A1 -B1 '# Time: 171227 21:31:19' /var/lib/mysql/7svdbm01-slow.log 
DELETE FROM node_revisions where vid in (SELECT vid FROM node WHERE type = '' AND uid = 0);
# Time: 171227 21:31:19
# User@Host: X[X] @ X.X.X [X.X.X.X]
[root@7svdbm01 ~]#

this is standard slow.log file, I haven't had a need to customize it anyhow...

tudor · January 9, 2018, 3:16pm

Is the file starting with a #Time line? I think that can happen and results in an error, but the rest of the entries should be correctly parsed and indexed. If you can share a portion of the slow log that triggers the error, I can see if it reproduces on my computer.

alexus · January 9, 2018, 4:47pm

@tudor

yes, file has a line that starts with # Time (see below):

[root@7svdbm01 ~]# grep '^# Time: 171227 21:31:19' /var/lib/mysql/7svdbm01-slow.log
# Time: 171227 21:31:19
[root@7svdbm01 ~]#

regardless to that error, I do NOT see any slow log queries via Kibana ([Filebeat MySQL] Overview.

system · February 6, 2018, 4:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.