logstash: failed action with response of 400, dropping actio

[_asp_]

Hi,

I've implemented a new parser (logstash filter) for a new logfile. In my private vm it is running smooth. -> no errors in logstash.log.
When rolling out on production, I get the following error in logstash.log:

{:timestamp=>"2016-11-16T08:36:08.292000+0100", :message=>"failed action with response of 400, dropping action: [\"index\", {:_id=>nil, :_index=>\"logstash-2016.11.16\", ...
Each event of the new log is dropped by this error, but the 400 error seems to be thrown for a bulk insert, because it is seems to encapsulate multiple events.

Any Idea? The log is quite heavy (many new lines per second), but resources on system should be enough.

The filter is using nothing really special.
- a bit grok
- a bit ruby for converting hex-String to integer and vice versa
- mutate for removing temporary fields and to convert some types
- date for parse the date to timestamp
- some conditonal statement based on regex comparision

And why is it runnning on vm (NLS 1.4.1) but not in prod (NLS1.4.0)

Thanks, Andreas

[mcapra]

Would it be possible for us to get a few sample log messages to look at as well as the filter+input being applied to them? You can PM them or submit an email ticket if you would prefer they be kept out of the general public's eye.