Graylog: Data mapping issues

How to resolve Graylog index data mapping problems

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Graylog cloud solution that provides a host of benefits, including:

  • Unlimited and dedicated SMTP email server included.
  • Effortless updates with just a click.
  • Customisable domain name secured with HTTPS (for example, https://logs.your-company.com).
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Graylog cloud hosting solution!

A frequent issue in Graylog involves data mapping conflicts, which can result in failed indexing attempts. You may encounter this problem if you see logs similar to the following:

ElasticsearchException[Elasticsearch exception [type=mapper_parsing_exception, reason=failed to parse field [level] of type [long] in document with id '34fd4d11-36ed-11f0-afc9-0242ac140002'. Preview of field's value: 'error']]; nested: ElasticsearchException[Elasticsearch exception [type=illegal_argument_exception, reason=For input string: "error"]];

Reason for the issue

This problem stems from OpenSearch's dynamic mapping feature. Dynamic mapping automatically determines the data type of each field based on the first document written to an index. Once this type is set, it is "locked in", and any subsequent document containing a different data type for that field will be rejected, resulting in a mapper parsing exception.

When a new index is created, the first document defines the index mapping. For example, if this document contains a "level" field with the value 3 (a numeric value), OpenSearch sets the data type for "level" to "long" (a numeric type). If a later document sent to Graylog contains the "level" field with the value "error" (a string type), it will be rejected because the data type does not match the one initially defined. This triggers a mapper_parsing_exception error with the reason failed to parse field [level] of type [long] in document with id 'xxx'.

This issue can occur with any field if data types are inconsistent across documents.

How to resolve the issue

To resolve this issue, you have two options:

1. Ensure consistent data types across systems

The ideal solution is to standardise the data types used for fields across all systems sending data to Graylog. For example, ensure that the "level" field is always sent either as a string (such as "error", "warn", etc.) or always as a number (3, 4, etc.). This consistency prevents mapping conflicts and ensures all documents are ingested correctly.

2. Use Graylog pipelines for data conversion

If standardising data types across all systems is not possible, you can use Graylog's pipelines to convert data types upon receipt. Pipelines allow you to define rules that transform data according to specific conditions.

To implement this solution:

  • Go to "System" > "Pipelines" in the Graylog web interface.
  • Click "Add new pipeline" to create a new pipeline.
  • Define rules to convert the "level" field (or other fields) to the desired data type. For example, you can convert numeric levels to their corresponding string representations (such as 3 to "error", 4 to "warning", etc.).

This approach ensures that all incoming data conforms to the expected data types, thereby preventing mapping conflicts.

Viewing and modifying index mappings

For advanced users, Graylog allows you to view and manually adjust index mappings:

  • Go to "System" > "Indices" in the Graylog web interface.
  • Select the relevant index.
  • Navigate to "Configuration" > "Configure index field types" to view or modify field mappings.

However, any manual changes should be made with caution, as incorrect mappings can lead to further ingestion issues.

Other articles for Graylog

  1. Introduction
    Introduction to Graylog, everything you need to know
  2. Getting started
    How to get started with Graylog
  3. Choose input types
    How to choose the right Graylog input type
  4. Configure inputs
    How to configure Graylog inputs
  5. Manage retention
    How to configure log retention
  6. Alerting
    How to send Graylog alerts by email, Slack, or Mattermost
  7. Enterprise licence
    How to manage the Graylog Enterprise licence
  8. Using with Node.js
    How to send logs from Node.js to Graylog
  9. Using with Dot NET
    How to send logs from .NET/Serilog to Graylog
  10. Using with Python
    How to send logs from Python to Graylog