Mapper parsing exceptions after migration to OpenSearch

Graylog Central (peer support)
1

Graylog: 4.3.7
OpenSearch: 1.3.5

After the migration from ElasticSearch to OpenSearch I get lots of mapper parsing exceptions (“failed to parse field [level] of type [long]”):

... [317]: index [graylog_5266], type [_doc], id [9b6c2f86-3849-11ed-9071-0242775af1e6], message [ElasticsearchException[Elasticsearch exception [[338]: index [graylog_5266], type [_doc], id [9b6ca4b0-3849-11ed-9071-0242775af1e6], message [ElasticsearchException[Elasticsearch exception [type=mapper_parsing_exception, reason=failed to parse field [level] of type [long] in document with id '9b6ca4b0-3849-11ed-9071-0242775af1e6'. Preview of field's value: 'INFO']]; nested: ElasticsearchException[Elasticsearch exception [type=illegal_argument_exception, reason=For input string: "INFO"]];] ...

When I do a “Show top values” I get lots of different values for “level”. So it seems some messages go into OpenSearch, and some cause issues. But I don’t get why.

Please help.

top
top497×538 13.9 KB

2

Hello @hangstl

I’ve seen this issue before here, Some how, some way your field “level” was set to something different. Only a few ways I know how to solve this.

  • Check elasticsearch and correct it to type “long”.
  • Create a new index and send log to that one.

Here is an example of of checking fro field “LEVEL” type.

[root@graylog graylog_user]#  curl -XGET http://localhost:9200/graylog_1723/_mapping/field/level?pretty
{
  "graylog_1723" : {
    "mappings" : {
      "level" : {
        "full_name" : "level",
        "mapping" : {
          "level" : {
            "type" : "long"
          }
        }
      }
    }
  }
}
[root@graylog graylog_user]#
1 Like
3

Here are two related feature requests, please upvote over in Github for more visibility :

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.