FYI, Here is the error seen:
"status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [entry.AppId.raw]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a END_OBJECT at 1:1416"}}}}, :level=>:warn}
I have been tracking this issue down for a while and I believe i have finally come to the root of the issue. I have an xml document that has fields sometimes null, and sometimes not. When the field is populated, xml filter parses it correctly into its own field, for example:
calling xml filter:
xml {
target => entry
source => message
force_array => false
}
example of xml:
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<AppId>ConsumeAll</AppId>
will result in the following:
"entry": {
"AppId": "ConsumeAll"
}
This is exactly how it should be, which matches my mapping set for the index, and if all records were like this, i assume i would not have any issues. HOWEVER, if the xml field is null, then we hit issues. Instead of being a null string/object, it gets created as the parent of a nested field such as:
example of xml:
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<AppId/>
will result in the following:
"entry": {
"AppId": {
}
}
At this point the entry fails because elasticsearch cannot match that to the template. I have tried removing the field with:
mutate{
remove_field => [ "[entry][AppID]" ]
}
but the filter does not remove the field, i assume because it is a nested field even though it has nothing nested. Any help is greatly appreciated as i have been beating my head against the wall on this one.