Sending GELF via HTTP - error "is missing mandatory . . . field"

Graylog Central (peer support)
21

I’ve discovered that the messages “stuck” in the journal are the ones where I set a timestamp attribute, e.g.:

{"timestamp": 1545401448067, "host": "xyz.com", "version": "1.1", "_cs_data": "XX", "short_message": "csdatareplicator"}

The same (minus the timestamp) is indexed:

{"host": "xyz.com", "version": "1.1", "_cs_data": "XX", "short_message": "csdatareplicator"}

The Example Payload in the GELF 2.5 docs shows a timestamp field in the document.

2 Likes
22

Thank you very much!

I can reproduce that, I am a new developer and I am not sure if what is the expected behavior. But it is a bug anyway:

  1. Either it’s supposed to work with timestamp
  2. or it is not and the manual is wrong at the point

Could you please open an issue for that and I will see that the issue gets fixed?

1 Like
23

Thank you. Issue 5501 has been created.

1 Like
24

Thanks a lot!

Konrad

25

As @dennis pointed out in the github issue the format of the timestamp was wrong.
A timestamp with milliseconds should be in float notation like: "timestamp":1545401488.441 or without
milliseconds like: "timestamp":1545401488. This solves the issue.

26

Thank you. Apologies for missing that. As it turns out, I had two issues:

  • wrong precision on my timestamp (as you pointed out)
  • a field in the “inner” JSON document - also called timestamp - that seemed to be conflicting with the GELF timestamp.

Once I fixed (removed) the duplicate timestamp element, all of my logs started to flow.

2 Likes
27

I’m very happy that you got it all sorted out!

Sorry for dropping out of the conversation all of a sudden; I’m at a SANS training all week, which is taking ALL of my time :smiley:

28

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.