-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Data ingestion throws 400 - Rejected by OpenSearch #82
Comments
Could you use |
Sure we could use |
Any workaround? I've been trying to fix this for a while. |
Also experiencing the same issue. |
Issue resolved by adding a custom dedot Fluentd ClusterFilter to the Fluentd configuration:
This is because field names containing dots can create ambiguity in certain data structures. For example, logs with the label In this case, OpenSearch will think that the json of this log should have the following format and try to repeat it twice: {
"kubernetes": {
"labels": {
"statefulset": {
"kubernetes": {
"io": {
"pod-name": "some_value"
}
}
}
}
}
} This misinterpretation can cause unexpected behavior during indexing and querying, and might result in data loss or errors. By replacing dots with underscores using the de_dot filter, we can avoid such ambiguity and ensure that the field name is correctly interpreted. After applying the dedot filter, it becomes:
I'm using the fluent-operator, so the above configuration will be rendered like this:
|
Steps to replicate
Our log pipeline:
FluentBit --> FluentD --> OpenSearch
FluentBit Config:
FluentD Config:
Error inside the Logs:
Expected Behavior or What you need to ask
We only see this error with logs from Windows Server 2016 and 2012 R2, how should the right log format look like in order to ingest data successfully into OpenSearch?
...
Using Fluentd and OpenSearch plugin versions
td-agent 4.4.1 fluentd 1.15.2 (c32842297ed2c306f1b841a8f6e55bdd0f1cb27f)
2022-10-25 15:01:01 +0000 [info]: gem 'fluent-plugin-opensearch' version '1.0.7'
2.2.0
The text was updated successfully, but these errors were encountered: