Trying to update a document but keep getting validation or parse errors

I have a set of documents created by filebeat -> logstash pushed to Elasticsearch and they look like this...

{
  "_index": "sub_myapp_prod-filebeat-7.17.7-2023.04",
  "_type": "_doc",
  "_id": "IPLahocBBfkGcvN800_A",
  "_version": 1,
  "_seq_no": 2057636,
  "_primary_term": 1,
  "found": true,
  "_source": {
    "logger": "myapp-sub",
    "host": {
      "name": "fdc3fd32fc5f"
    },
    "mymessage": "[application] GMBHelper::fetchReviews response has no totalReviewCount. ...",
    "stream": "stderr",
    "message": "NOTICE: PHP message: [2023-04-15 22:38:18] myapp-sub.ERROR: [application] GMBHelper::fetchReviews response has no totalReviewCount. ...",
    "@timestamp": "2023-04-15T21:38:18.907Z",
    "agent": {
      "id": "f84f19b3-6802-44bd-a096-0fd5d67ae3de",
      "hostname": "fdc3fd32fc5f",
      "name": "fdc3fd32fc5f",
      "type": "filebeat",
      "ephemeral_id": "f4081a93-5739-4bda-9270-87e93e7c22b5",
      "version": "7.17.7"
    },
    "timestamp": "2023-04-15 22:38:18",
    "ecs": {
      "version": "1.12.0"
    },
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "type": "monolog",
    "input": {
      "type": "container"
    },
    "@version": "1",
    "log": {
      "offset": 33227987478,
      "file": {
        "path": "/var/lib/docker/containers/0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055/0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055-json.log"
      }
    },
    "docker": {
      "container": {
        "labels": {
          "io_rancher_environment_uuid": "1bad0e96-1ad3-4e6b-9522-3971998e163f",
          "co_elastic_logs/enabled": "true",
          "io_rancher_container_ip": "10.42.47.100/16",
          "io_rancher_stack_service_name": "submyappprod/php",
          "io_rancher_container_name": "submyappprod-php-1",
          "io_rancher_container_mac_address": "02:7e:2e:57:19:30",
          "io_rancher_service_hash": "c01a241978e86b870e84e99a2d301e88aa1bdf6d",
          "io_rancher_cni_wait": "true",
          "io_rancher_cni_network": "ipsec",
          "io_rancher_project_name": "submyappprod",
          "io_rancher_project_service_name": "submyappprod/php",
          "io_rancher_container_uuid": "0ea6a19a-c899-4d4d-82e2-404674310d89",
          "io_rancher_stack_name": "submyappprod",
          "io_rancher_service_deployment_unit": "66aa975f-9827-4076-a943-eaec10ec5e39",
          "io_rancher_service_launch_config": "io.rancher.service.primary.launch.config"
        }
      }
    },
    "level": "ERROR",
    "container": {
      "id": "0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055",
      "name": "r-submyappprod-php-1-0ea6a19a",
      "image": {
        "name": "registry.host.com/user/sub-myapp/php:BLABLA"
      }
    }
  }
}

The important fields are in the _source section. Now if i try to send an update I try a few different things ... first i remove all the _fields . I try both keeping the structure in source and for instance just change the _source -> message content and I get as a result

$ curl -X POST https://search-BLBLLALLA.us-east-1.es.amazonaws.com/sub_myapp_prod-filebeat-7.17.7-2023.04/_doc/IPLahocBBfkGcvN800_A/_update -H "Content-Type: application/json" -d "$JSON_CNT"
{"error":{"root_cause":[{"type":"parsing_exception","reason":"Unknown key for a VALUE_STRING in [logger].","line":3,"col":15}],"type":"x_content_parse_exception","reason":"[3:15] [UpdateRequest] failed to parse field [_source]","caused_by":{"type":"parsing_exception","reason":"Unknown key for a VALUE_STRING in [logger].","line":3,"col":15}},"status":400}

I also try specifying just the logger field ie i send only this in the body

{
  "logger": "anotherValueForLogger"
}

However when i run the curl request i get ....

curl -X POST https://search-BLBLLBLB.us-east-1.es.amazonaws.com/sub_myapp_prod-filebeat-7.17.7-2023.04/_doc/IPLahocBBfkGcvN800_A/_update -H "Content-Type: application/json" -d "$JSON_CNT"
{"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[2:3] [UpdateRequest] unknown field [logger]"}],"type":"x_content_parse_exception","reason":"[2:3] [UpdateRequest] unknown field [logger]"},"status":400}

What am I missing. How can I update this when in Kibana it is all shown good and well? ie i get all the fields displayed in kibana as outside the _source when viewing in table format. I am lost as I dont get why it is not liking the way the update is done.

I'm afraid that you are not using the official Elasticsearch service available at Cloud by Elastic, also available if needed from AWS Marketplace, Azure Marketplace and Google Cloud Marketplace.

Cloud by elastic is one way to have access to all features, all managed by us. Think about what is there yet like Security, Monitoring, Reporting, SQL, Canvas, Maps UI, Alerting and built-in solutions named Observability, Security, Enterprise Search and what is coming next :slight_smile: ...

I'm not sure we can help here as the service running behind the scene is not exactly Elasticsearch.

Hi David

On AWS I am still using a community and not an AWS specific build as outline by the version system. I understand you have a business stream from selling your own deployment but this error is rather generic and not AWS specific.

{
  "name" : "fd2.....a",
  "cluster_name" : "50994......es",
  "cluster_uuid" : "o2yz......vToA",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "tar",
    "build_hash" : "unknown",
    "build_date" : "2022-09-01T11:13:58.536555Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

It would be great to see an actual suggestion as to what to do next for troubleshooting.

That is not the official build as the build hash is unknown. AWS have compiled a custom version and are as far as I know also using custom plugins, so it is difficult to know what impact this will or will not have. As you are using their managed service there are probably also proxies between you and the cluster, which could have an impact.

It may help if you could reproduce this on a standard, official 7.10.2 OSS build.

hi @Christian_Dahlqvist the body is shown in full for the second request where i get a x_content_parse_exception and easy to repeat here.

{
  "logger": "anotherValueForLogger"
}

As I described in the original post in the second request i totally remove theh _source root field and just use the subfields. Not sure it is correct but I tried this after using the full _source in the first request. An extract of the body looks like ....

{
  "_source": {
    "logger": "myapp-sub",
    "host": {
      "name": "fdc3fd32fc5f"
    },
    "mymessage": "[application] GMBHelper::fetch.....",
    "stream": "stderr",
    "message": "NOTICE: PHP message: [2023-04-15 22:38:18] myapp-sub.ERROR: [application] GMBHelper::fetch ....",
    "@timestamp": "2023-04-15T21:38:18.907Z",
    "agent": {
      "id": "f84f19b3-6802-44bd-a096-0fd5d67ae3de",
      "hostname": "fdc3fd32fc5f",
      "name": "fdc3fd32fc5f",
      "type": "filebeat",
      "ephemeral_id": "f4081a93-5739-4bda-9270-87e93e7c22b5",
      "version": "7.17.7"
    },
    "timestamp": "2023-04-15 22:38:18",
    "ecs": {
      "version": "1.12.0"
    },
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "type": "monolog",
    "input": {
      "type": "container"
    },
    "@version": "1",
    "log": {
      "offset": 33227987478,
      "file": {
        "path": "/var/lib/docker/containers/0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055/0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055-json.log"
      }
    },
    "docker": {
      "container": {
        "labels": {
          "io_rancher_environment_uuid": "1bad0e96-1ad3-4e6b-9522-3971998e163f",
          "co_elastic_logs/enabled": "true",
          "io_rancher_container_ip": "10.42.47.100/16",
          "io_rancher_stack_service_name": "submyappprod/php",
          "io_rancher_container_name": "submyappprod-php-1",
          "io_rancher_container_mac_address": "02:7e:2e:57:19:30",
          "io_rancher_service_hash": "c01a241978e86b870e84e99a2d301e88aa1bdf6d",
          "io_rancher_cni_wait": "true",
          "io_rancher_cni_network": "ipsec",
          "io_rancher_project_name": "submyappprod",
          "io_rancher_project_service_name": "submyappprod/php",
          "io_rancher_container_uuid": "0ea6a19a-c899-4d4d-82e2-404674310d89",
          "io_rancher_stack_name": "submyappprod",
          "io_rancher_service_deployment_unit": "66aa975f-9827-4076-a943-eaec10ec5e39",
          "io_rancher_service_launch_config": "io.rancher.service.primary.launch.config"
        }
      }
    },
    "level": "ERROR",
    "container": {
      "id": "0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055",
      "name": "r-submyappprod-php-1-0ea6a19a",
      "image": {
        "name": "registry.host.com/bizmate/sub-myapp/php:MR-168-increaseGMB_locations_loading"
      }
    }
  }
}

with this last content i get the parsing_exception as shown in the original post. I will try to run a local version of docker and import the index but from the responses these are not proxy or any other intermediary layers but just the OSS version. Yes the build is not mentioned by this is most likely because it is run from the tarball?

I'd recommend to use the same version of filebeat and Elastcisearch.

So if you want to use filebeat 7.17.7, I'd recommend upgrading Elasticsearch to 7.17.7. 7.10 is very old and might not be compatible.
Or if you want to keep the Elasticsearch 7.10 version (not recommended as many security patches have been added since then), you should downgrade filebeat to 7.10.

In this case I am just trying to do a single manual update. Filebeat is not used here just curl

I'd check the mapping.

If you can't find the problem, could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

A full reproduction script is something anyone can copy and paste in Kibana dev console, click on the run button to reproduce your use case. It will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.

1 Like

I actually see what is happening:

Have a look at the Update API:

_source can only be true or false.

But actually I think that you don't want to use the update API but the index API.
So try something like:

PUT wix_myreviews_prod-filebeat-7.17.7-2023.04/_doc/IPLahocBBfkGcvN800_A
{
    "logger": "myapp-sub",
    "host": {
      "name": "fdc3fd32fc5f"
    },
    "mymessage": "[application] GMBHelper::fetch.....",
    "stream": "stderr",
    "message": "NOTICE: PHP message: [2023-04-15 22:38:18] myapp-sub.ERROR: [application] GMBHelper::fetch ....",
    "@timestamp": "2023-04-15T21:38:18.907Z",
    "agent": {
      "id": "f84f19b3-6802-44bd-a096-0fd5d67ae3de",
      "hostname": "fdc3fd32fc5f",
      "name": "fdc3fd32fc5f",
      "type": "filebeat",
      "ephemeral_id": "f4081a93-5739-4bda-9270-87e93e7c22b5",
      "version": "7.17.7"
    },
    "timestamp": "2023-04-15 22:38:18",
    "ecs": {
      "version": "1.12.0"
    },
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "type": "monolog",
    "input": {
      "type": "container"
    },
    "@version": "1",
    "log": {
      "offset": 33227987478,
      "file": {
        "path": "/var/lib/docker/containers/0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055/0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055-json.log"
      }
    },
    "docker": {
      "container": {
        "labels": {
          "io_rancher_environment_uuid": "1bad0e96-1ad3-4e6b-9522-3971998e163f",
          "co_elastic_logs/enabled": "true",
          "io_rancher_container_ip": "10.42.47.100/16",
          "io_rancher_stack_service_name": "submyappprod/php",
          "io_rancher_container_name": "submyappprod-php-1",
          "io_rancher_container_mac_address": "02:7e:2e:57:19:30",
          "io_rancher_service_hash": "c01a241978e86b870e84e99a2d301e88aa1bdf6d",
          "io_rancher_cni_wait": "true",
          "io_rancher_cni_network": "ipsec",
          "io_rancher_project_name": "submyappprod",
          "io_rancher_project_service_name": "submyappprod/php",
          "io_rancher_container_uuid": "0ea6a19a-c899-4d4d-82e2-404674310d89",
          "io_rancher_stack_name": "submyappprod",
          "io_rancher_service_deployment_unit": "66aa975f-9827-4076-a943-eaec10ec5e39",
          "io_rancher_service_launch_config": "io.rancher.service.primary.launch.config"
        }
      }
    },
    "level": "ERROR",
    "container": {
      "id": "0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055",
      "name": "r-submyappprod-php-1-0ea6a19a",
      "image": {
        "name": "registry.host.com/bizmate/sub-myapp/php:MR-168-increaseGMB_locations_loading"
      }
    }
}
1 Like

Thank you for this suggestion so for anyone readying I am indeed posting how i managed to finally do the update.

My document includes all fields inside the _source field and as mentioned by @dadoonet the update API was not working. I used just the _doc prefix (I guess this is what the Index API and sent a post request as follows

POST /sub_myapp_prod-filebeat-7.17.7-2023.04/_doc/IPLahocBBfkGcvN800_A
{
    "logger": "myapp-sub",
    "host": {
      "name": "fdc3fd32fc5f"
    },
    "mymessage": "[application] GMBHelper::fetch......",
    "stream": "stderr",
    "message": "NOTICE: PHP message: [2023-04-15 22:38:18] myapp-sub.ERROR: [application] GMBHelper::fetch.....",
    "@timestamp": "2023-04-15T21:38:18.907Z",
    "agent": {
      "id": "f84f19b3-6802-44bd-a096-0fd5d67ae3de",
      "hostname": "fdc3fd32fc5f",
      "name": "fdc3fd32fc5f",
      "type": "filebeat",
      "ephemeral_id": "f4081a93-5739-4bda-9270-87e93e7c22b5",
      "version": "7.17.7"
    },
    "timestamp": "2023-04-15 22:38:18",
    "ecs": {
      "version": "1.12.0"
    },
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "type": "monolog",
    "input": {
      "type": "container"
    },
    "@version": "1",
    "log": {
      "offset": 33227987478,
      "file": {
        "path": "/var/lib/docker/containers/0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055/0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055-json.log"
      }
    },
    "docker": {
      "container": {
        "labels": {
          "io_rancher_environment_uuid": "1bad0e96-1ad3-4e6b-9522-3971998e163f",
          "co_elastic_logs/enabled": "true",
          "io_rancher_container_ip": "10.42.47.100/16",
          "io_rancher_stack_service_name": "submyappprod/php",
          "io_rancher_container_name": "submyappprod-php-1",
          "io_rancher_container_mac_address": "02:7e:2e:57:19:30",
          "io_rancher_service_hash": "c01a241978e86b870e84e99a2d301e88aa1bdf6d",
          "io_rancher_cni_wait": "true",
          "io_rancher_cni_network": "ipsec",
          "io_rancher_project_name": "submyappprod",
          "io_rancher_project_service_name": "submyappprod/php",
          "io_rancher_container_uuid": "0ea6a19a-c899-4d4d-82e2-404674310d89",
          "io_rancher_stack_name": "submyappprod",
          "io_rancher_service_deployment_unit": "66aa975f-9827-4076-a943-eaec10ec5e39",
          "io_rancher_service_launch_config": "io.rancher.service.primary.launch.config"
        }
      }
    },
    "level": "ERROR",
    "container": {
      "id": "0bd7aaa3ae0a585bbce5307579272c3654e50b590b3cac74eed902f4c80a4055",
      "name": "r-submyappprod-php-1-0ea6a19a",
      "image": {
        "name": "registry.domain.com/bizmate/sub-myapp/php:MR-168-increaseGMB_locations_loading"
      }
    }
  }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.