What's the Indexer failures logic?

Hello.
I’m proceeding Nginx access logs, and have the following grok pattern to match HTTP code:%{NUMBER:HTTP_CODE;int}
Very often my ‘Quick values’ request for HTTP codes fails with the following error:

Loading quick values failed with status: Error: cannot GET http://1.2.3.4:9000/api/search/universal/relative/terms?query=gl2_source_input%3A5c94beb3d5256e0c0b346c77%20AND%20REQUEST%3A\%2FCPS\%2F*&range=28800&field=HTTP_CODE&order=HTTP_CODE%3Adesc&size=50&stacked_fields= (500)

And I see indexer errors in Overview pane:

{“type”:“illegal_argument_exception”,“reason”:“mapper [HTTP_CODE] of different type, current_type [long], merged_type [keyword]”}
{“type”:“illegal_argument_exception”,“reason”:“mapper [HTTP_CODE] of different type, current_type [keyword], merged_type [long]”}

My question is why graylog parser ignores data type int which I set in grok pattern and (seems) still trying to guess it?
How it ever possible that NUMBER is being converted to ‘keyword’?
What’s the best way to avoid such issues?

Thanks in advance

you should check what you extract - I guess that it might contain an int, but not a long or similar…

Actually I even tried regex to match exactly 3 digits of HTTP code: [1-5][0-9][0-9] (so if log really contains some garbage - it will not match and will not be indexed) - that also didn’t help surprisingly.
Is there some way to find out the exact message which caused indexer failure?

Another question is why ‘Quick values’ affected in this scenario - to me we just need to list all entities, not perform some math operations, so I’m really confused how field type can affect this flow.
Whether extracting as a string will be guaranty of fault-tolerance?
Can it be addressed via issue in gitlab?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.