When logs cannot be indexed into Elasticsearch for any reason, we reprocess the log and put the full log content into the "message" field under the type "logzio-index-failure." This mechanism was developed to make sure that you do not lose log data and that you are aware there is a problem that needs to be resolved.
The main reason for logzio-index failures is that there is a mapping conflict for a particular field. When Elasticsearch first indexes a field, it sets the field type based on the value. So, if the first field type is set as an integer, then only an integer can be indexed within that field. If a log is sent with a different type of value than what is already set within the field mapping, then Elasticsearch will reject the value. You can check the field "index-failed-reason" within one of the failed logs to understand which field has the mapping conflict. You can resolve this issue in a few ways:
- Modify the value within your log to be the same type as the original log
- Ship that value under a new field name. Since Elasticsearch sets the type of field the first time that it receives a field, a new field will be created with the corresponding type if you send the value as a new field name
- If neither of these options works, you can contact Support for help at help@logz.io
Comments
0 comments
Please sign in to leave a comment.