Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failed to parse field as object, but found a concrete value #26

Open
cdenneen opened this issue Oct 23, 2018 · 2 comments
Open

failed to parse field as object, but found a concrete value #26

cdenneen opened this issue Oct 23, 2018 · 2 comments
Labels
bug

Comments

@cdenneen
Copy link

Logstash 6.4.2
logstash-codec-cloudtrail (3.0.5) still has same problem (#15).

responseElements and requestParameters (and their children like requestParameters.iamInstanceProfile)

[2018-10-23T20:26:49,297][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-cloudtrail-write", :_type=>"_doc", :_routing=>nil}, #<LogStash::Event:0x2b804bc4>], :response=>{"index"=>{"_index"=>"logstash-cloudtrail-000004", "_type"=>"_doc", "_id"=>"H-2bomYBuhFkxAoaxCUs", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [responseElements.role] tried to parse field [role] as object, but found a concrete value"}}}}
[2018-10-23T20:28:28,793][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-cloudtrail-write", :_type=>"_doc", :_routing=>nil}, #<LogStash::Event:0x4cc6643b>], :response=>{"index"=>{"_index"=>"logstash-cloudtrail-000004", "_type"=>"_doc", "_id"=>"gO6domYBuhFkxAoaSECE", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [requestParameters.iamInstanceProfile] tried to parse field [iamInstanceProfile] as object, but found a concrete value"}}}}
@cdenneen
Copy link
Author

@jsvd @robbavey Looks like we've had issues with these fields being parsed and mapped properly for > 3 years now. Can we have someone look into way to fix this?
I'll even POST a custom template/mapping to fix these issues if that's the only solution.

@jsvd jsvd added the bug label Oct 29, 2018
@kares
Copy link

kares commented Dec 2, 2021

Just to chime in for anyone landing here, the codec parses JSON records and does a few tricks to adjust the layout.

One of the ways forward here would be to adapt the plugin to Elastic Common Schema and leverage a predictable flat layout (similar to the one Beats has been using). This would be a separate plugin execution mode, similar to other codecs, as changing the current event layout might break backwards compatibility others might be relying upon.

The plugin mostly relies on support from the community and the last related update has been done by a plugin user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsvd @kares @cdenneen @robbavey