I just noticed that I recently have lots of Indexer failures like this:
{"type":"mapper_parsing_exception","reason":"Field [_timestamp] is a metadata field and cannot be added inside a document. Use the index API request parameters."}
I don’t know where those errors are coming from - and why I suddenly get them.
Also interesting: Only the Graylog master node has this errors in the log. I have a setup with 2 Graylog nodes. The other node does not have such errors.
I have no idea where this “_timestamp” field suddenly comes from.
Elasticsearch doesn’t allow field names to start with _ so those are being stripped. Once they are removed the field name becomes “timestamp”, which is a system-defined metadata field that can’t be contained in a document. That’s why you’re seeing indexer failures.
You can view the input to see messages that contain the field to help determine the source.
I use Logstash to feed Graylog. I double checked my configuration; I am not actively sending a field named “_timestamp”. I have no idea where this suddenly comes from.
All I get in the Graylog server log are lines like this:
“… id [b9a30272-9030-11eb-a94f-0242620bd9d0], message [ElasticsearchException[Elasticsearch exception [type=mapper_parsing_exception, reason=Field [_timestamp] is a metadata field and cannot be added inside a document. Use the index API request parameters.]]] …”
Documents with this ID don’t exist in Elasticsearch (of course not, because of index failure), so I cant see which documents failed.
It would help to get some more information, e.g. who (IP) is sending this faulty message, how the faulty message looks like, etc. Is there a way to get this kind of information in the Graylog Server?
To my surprise, the message does not have a field named _timestamp - it has a field named @timestamp. Is there some sort of conversion going on in the Graylog server from @ to _?
@ is not supported as a character in a field name either, so the net result is the same. Try replacing the symbol with some other prefix in the pipeline to allow a unique fieldname to be created. Perhaps source_timestamp?
