Troubleshooting Indexer Faults

sparkblaze · August 18, 2017, 9:20am

[148]: index [graylog_320], type [message], id [98e00800-83f3-11e7-9789-0050568ffebc], message [MapperParsingException[failed to parse [date]]; nested: IllegalArgumentException[Invalid format: "18/08/2017" is malformed at "/08/2017"];]

2017-08-18T09:59:55.260+01:00 ERROR [GelfCodec] Could not parse JSON, first 400 characters: Udp data
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Udp': was expecting ('true', 'false' or 'null')
 at [Source: Udp data; line: 1, column: 4]
        at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1702) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:558) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._reportInvalidToken(ReaderBasedJsonParser.java:2839) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1903) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:749) ~[graylog.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3834) ~[graylog.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3783) ~[graylog.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2381) ~[graylog.jar:?]
        at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:120) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:79) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

Hey guys,

Can anyone point me in the direction of understanding where these two errors originate from so I can try to resolve them?

jochen · August 21, 2017, 9:26am

This message simply explains that the date message field doesn’t contain a valid date as expected by the index mapping in Elasticsearch.

You can use an extractor or the processing pipeline to use the correct date format and/or create a custom index mapping for the date field.

Some client sent an invalid GELF message to a GELF TCP or UDP input.

The string

Udp data

simply isn’t valid GELF/JSON.

sparkblaze · August 21, 2017, 10:15am

This is fine, but I don’t know where these messages are coming from, since they’re being dropped I can’t see anything (obvious) that would help me identify them… unless the correct approach is to start turning off collectors until the error goes away?

system · September 4, 2017, 10:15am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Indexer failures Graylog Central (peer support)	2	3031	March 3, 2017
Json extractor problem Graylog Central (peer support)	12	4424	February 28, 2018
Graylog 2.2 MapperParsingException on Exchange Logs Graylog Central (peer support)	10	802	March 28, 2017
MapperParsingException EventDate Graylog Central (peer support)	10	1729	September 4, 2017
Mapper Parsing Exception Graylog Central (peer support)	1	936	September 13, 2019

Troubleshooting Indexer Faults

Related Topics