Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maximum size fields and Index Fields when doing walks #25

Open
eperry opened this issue Nov 5, 2018 · 1 comment
Open

Maximum size fields and Index Fields when doing walks #25

eperry opened this issue Nov 5, 2018 · 1 comment
Labels
enhancement New feature or request plugin:input-snmp

Comments

@eperry
Copy link

eperry commented Nov 5, 2018
edited
Loading

While doing very liberal SNMP Walks on a server I came across this issue

Field Names can get exceedingly long and SNMP Walks can create a Huge amount of field names

[2018-11-04T18:58:32,704][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"snmp-2018.11.04", :_type=>"logs", :_routing=>nil}, #<LogStash::Event:0x22bdd815>], :response=>{"index"=>{"_index"=>"snmp-2018.11.04", "_type"=>"logs", "_id"=>"lcAp4WYBIR0n9FiBt-hA", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"Limit of mapping depth [20] in index [snmp-2018.11.04] has been exceeded due to object field [iso.org.dod.internet.mgmt.mib-2.dismanEventMIB.dismanEventMIBObjects.mteEvent.mteEventTable.mteEventEntry.mteEventEntryStatus.6.95.115.110.109.112.100.95.109.116.101.84.114]"}}}}

[2018-11-04T18:47:28,169][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"snmp-2018.11.04", :_type=>"logs", :_routing=>nil}, #<LogStash::Event:0x78eb628b>], :response=>{"index"=>{"_index"=>"snmp-2018.11.04", "_type"=>"logs", "_id"=>"dpof4WYBf0IKXA2OUQXI", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"Limit of total fields [6000] in index [snmp-2018.11.04] has been exceeded"}}}}

I thought I would report it, though I am sure it will need some thought, on how to deal with very long mibs

I was thinking the following

  {
     "OID": oidvalue
  }

to something like

  {
      oid_name: "OID"
      value: oid_value
  }

Not sure how you would do it with one large document
@eperry eperry mentioned this issue Nov 5, 2018
Open
@colinsurprenant colinsurprenant added the enhancement New feature or request label Jul 30, 2019
@geekpete
Copy link

geekpete commented Jun 6, 2023

I wonder if Flattened field type could be used here for some benefit?
https://www.elastic.co/guide/en/elasticsearch/reference/current/flattened.html

@edmocosta edmocosta transferred this issue from logstash-plugins/logstash-input-snmp May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request plugin:input-snmp
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@colinsurprenant @geekpete @eperry @edmocosta