Graylog Indexer Failure - Field _timestamp is a metadata field and cannot be added inside a document

hellograylog77 · March 30, 2023, 2:25pm

There was a post about Graylog Indexer failure with the error similar to

Field [_timestamp] is a metadata field and cannot be added inside a document. Use the index API request parameters.

on this community forum. But, since this did not have any solution yet, I am asking this again. Anybody has any suggestions on how to go about resolving this Indexer failure issue ?Lots of Indexer failures recently

Wine_Merchant · March 30, 2023, 2:41pm

Hey @hellograylog77,

I’ve not tested this myself but could you use something like the below pipeline rule attached to correct stream. That is assuming that as with the the ticket you linked the ‘_’ is in fact ‘@’.

rule "alter field"
when
  has_field("@timestamp")
then
  rename_field("@timestamp", "new_timestamp");
end

system · April 13, 2023, 2:41pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Lots of Indexer failures recently Graylog Central (peer support) pipeline-rules , debuggingpl	6	1107	April 16, 2021
Indexer failures for timestamp Graylog Central (peer support)	10	2229	July 5, 2019
Indexing Failures Graylog Central (peer support) sidecar , filebeat-windows	3	1186	December 26, 2018
Indexer Errors Because of mapper_parsing_exception Graylog Central (peer support) filebeat-linux , elastic	3	249	January 1, 2024
Reindex graylog data to elastic 5.x Development	6	1081	May 12, 2021

Graylog Indexer Failure - Field _timestamp is a metadata field and cannot be added inside a document

Related Topics