Logstash.outputs.opensearch 400 _bulk error

ERROR:
[ERROR][logstash.outputs.opensearch][main][4924702143da49c76eaa823ba0f23c8372944ad77f0323c2e2ecdb3bdf534563] Encountered a retryable error (will retry with exponential backoff) {:code=>400

The log seems incomplete, can you provide more log? The main error message OpenSearch returned is needed.

][ERROR][logstash.outputs.elasticsearch][main][c1ba0d82cf6066f4694fc79281db3b669de007fb2046da078f465d075b9dc5f9] Encountered a retryable error. Will Retry with exponential backoff {:code=>400, :url=>“https://xxxx.com/_bulk”, :body=>“{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}”}

_type is a deprecated parameter in OpenSearch, so you are using logstash-output-elasticsearch plugin? Try logstash-output-opensearch plugin instead.

I have and I get the same result.

[2023-06-12T20:36:41,234][ERROR][logstash.outputs.opensearch][main][2c683fdb209c13f6b54cd7c01a3f460c28284dcfe5c97d49ce088364f8b321e6] Encountered a retryable error (will retry with exponential backoff) {:code=>400, :url=>“XXXX”, :content_length=>138549, :body=>“{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}”}

Which Logstash version did you use? And could you show the logstash conf file which contains input, filter, and output ?

logstash-7.10.2

input {
  beats {
    port => 5044
  }
}

filter{
        if "ERROR:" in [message] {
                mutate {
                        add_tag => ["ERROR"]
                        add_field => { "raw_message" => "%{[message]}" }
                }
        }
        else if "DECLINED" in [message] {
                mutate {
                        add_tag => ["DECLINE"]
                        add_field => { "raw_message" => "%{[message]}" }
                }
        }

        else if "DBI connect" in [message] {
                if "[ORACLE]" in [message] {
                        mutate {
                                add_tag => ["ORACLE"]
                                split => { "[message]" => " " }
                                add_field => { "ORACLE" => "%{[message]}" }
                        }
                }

        }

        else if "DBI connect" in [message] {
                if "interval" not in [message] {
                        mutate {
                                add_tag => ["INTERVAL"]
                                split => { "[message]" => " " }
                                add_field => { "INTERVAL" => "%{[message]}" }
                        }
                }
        }

        else if "http_error" in [message] {
                mutate {
                        add_tag => ["GWS"]
                        add_field => { "HTTP_ERROR" => "%{[message]}" }
                }
        }
        else{
                grok {
                        match => {
                                "message" => "%{SYSLOGTIMESTAMP:log_timestamp} %{IPORHOST:hostname} %{GREEDYDATA:logs}"
                        }
                }
        }


}

output {
  if "_jsonparsefailure" in [tags] {
        file {
                path => "/var/log/logstash/jsonparsefailure.debug.log"
        }
  }
  if "DECLINED" in [tags]{
    opensearch {
      hosts => ["https://xxxx.com"]
      index => "tvalerts-%{+YYYY.MM.dd}"
      ssl => true
      cacert => "/etc/logstash/certs/sf_bundle-g2-g1.pem"
      ssl_certificate_verification => true
      #ilm_enabled => "false"
      user => "xxxx"
      password => "${es_pass}"
    }
  }
  else if "ERROR" in [tags]{
    opensearch {
      hosts => ["https://xxxx.com"]
      index => "tvalerts-%{+YYYY.MM.dd}"
      ssl => true
      cacert => "/etc/logstash/certs/sf_bundle-g2-g1.pem"
      ssl_certificate_verification => true
      #ilm_enabled => "false"
      user => "xxxx"
      password => "${es_pass}"
    }
  }
  else if "TVALERTS_UNPARSED" in [tags]{
    opensearch {
      hosts => ["https://xxxx.com"]
      index => "tvalerts_unparsed-%{+YYYY.MM.dd}"
      ssl => true
      cacert => "/etc/logstash/certs/sf_bundle-g2-g1.pem"
      ssl_certificate_verification => true
      #ilm_enabled => "false"
      user => "xxxx"
      password => "${es_pass}"
    }
  }
  else if "ORACLE" in [tags]{
    opensearch {
      hosts => ["https://xxxx.com"]
      index => "oracle-%{+YYYY.MM.dd}"
      ssl => true
      cacert => "/etc/logstash/certs/sf_bundle-g2-g1.pem"
      ssl_certificate_verification => true
      #ilm_enabled => "false"
      user => "xxxx"
      password => "${es_pass}"
    }
  }
  else if "INTERVAL" in [tags]{
    opensearch {
      hosts => ["https://xxxx.com"]
      index => "interval-%{+YYYY.MM.dd}"
      ssl => true
      cacert => "/etc/logstash/certs/sf_bundle-g2-g1.pem"
      ssl_certificate_verification => true
      #ilm_enabled => "false"
      user => "xxxx"
      password => "${es_pass}"
    }
  }
  else if "GWS" in [tags]{
    opensearch {
      hosts => ["https://xxxx.com"]
      index => "gws-%{+YYYY.MM.dd}"
      ssl => true
      cacert => "/etc/logstash/certs/sf_bundle-g2-g1.pem"
      ssl_certificate_verification => true
      #ilm_enabled => "false"
      user => "xxxx"
      password => "${es_pass}"
    }
  }
  else{
    opensearch {
      hosts => ["https://xxxx.com"]
      index => "mp1stmile-%{+YYYY.MM.dd}"
      ssl => true
      cacert => "/etc/logstash/certs/sf_bundle-g2-g1.pem"
      ssl_certificate_verification => true
      #ilm_enabled => "false"
      user => "xxxx"
      password => "${es_pass}"
    }
  }
}

It seems a version compatibility issue, take a look at this: issue, maybe you can try updating this setting for your OpenSearch cluster:

PUT _cluster/settings
{
  "persistent": {
    "compatibility": {
      "override_main_response_version": true
    }
  }
}