darkmoon
July 9, 2018, 7:16pm
1
With this config:@metadata ][target][id]}"
I get this error on any update (creates work):
I know the document already exists, it's an update, not a create. I've played around with retries and various version settings.
Anyone have any ideas on how to disable the version check? It shouldn't even be checking. The docs (https://www.elastic.co/blog/elasticsearch-versioning-support ) say it's optional, but not how to disable it.
elastic/logstash v5.6.10. Everything works otherwise. Updates using the elastic update api (via curl) work.
darkmoon
July 11, 2018, 12:24pm
2
This is blocking our migration to 5.6 (and thence to 6.x).
Has anyone seen anything like this before, please?
darkmoon
July 16, 2018, 8:30pm
3
Does anyone have a working 5.6 config that does partial updates (update/upsert)?
This works in 5.4 perfectly. It still works via the API (curl). Maybe one of the options has changed?
The 5.x and 6.x documentation both say that version checking is optional, and not active unless turned on. This looks like a bug in the logstash elasticsearch output plugin.
darkmoon
July 23, 2018, 1:11pm
4
I know this is a rare use case, but can someone please take a look at this?
This is a documented feature and it's not working.
darkmoon
July 30, 2018, 5:55pm
5
Can someone please take a look at this? It's been weeks.
darkmoon
July 30, 2018, 8:00pm
7
Do you have a working config then? Would it be possible to share it so I can compare with mine?
Badger
July 30, 2018, 8:39pm
8
The configuration I used was
input { generator { count => 1 message => 'Foo' } }
output { stdout { codec => rubydebug } }
output {
elasticsearch {
hosts => [ "localhost" ]
index => "state_mac"
document_id => "f4:4d:30:60:8a:31"
action => "update"
doc_as_upsert => true
id => "logfilter-pprd-01.internal.cls.vt.edu_es_state"
template_overwrite => false
manage_template => false
retry_on_conflict => 5
}
}
If I change the generator message to be Bar, then it updates just fine. The event looks like this
{
"_index": "state_mac",
"_type": "doc",
"_id": "f4:4d:30:60:8a:31",
"_version": 4,
"_score": null,
"_source": {
"@version": "1",
"host": "...",
"sequence": 0,
"message": "Bar",
"@timestamp": "2018-07-30T20:36:56.969Z"
},
"fields": {
"@timestamp": [
"2018-07-30T20:36:56.969Z"
]
},
"sort": [
1532983016969
]
}
I'd take a close look at the event you are trying to index (using rubydebug to stdout), and the event you are trying to overwrite (in the JSON tab in Kibana/Discover) and see if anything jumps out.
darkmoon
July 30, 2018, 8:53pm
9
What happens when the two versions update different fields? (say src.ip and dst.ip)
I have looked at the raw document, nothing leaped out at me. I'll pull a few versions.
darkmoon
July 31, 2018, 1:21pm
10
(sorry for the formatting. The preformatted text button doesn't work)@timestamp " => 2018-07-31T13:14:37.000Z,@version " => "1",
And this one generated a 409:@timestamp " => 2018-07-31T13:14:52.000Z,@version " => "1",
darkmoon
July 31, 2018, 1:24pm
11
I also have examples where it's not writing to the same fields (assembling sendmail event logs into transactions), but those are more complex. I get the same failure here and I'd like to have other documents that added other things to this one. Circuit number, username, etc.
darkmoon
August 7, 2018, 2:02pm
12
Bump to keep this from expiring.
darkmoon
August 14, 2018, 2:49pm
13
Bump to keep this from expiring.
darkmoon
August 21, 2018, 2:41pm
16
Very odd. I'll give it a try, but I'll need to get to 6.x first. This started when I went from 5.4.1 to 5.6.10.
Partial updates worked after that?
darkmoon
August 28, 2018, 1:16pm
17
Weekly bump. Please, will someone take a look at this bug?
system
September 25, 2018, 1:16pm
18
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.