failure in bulk execution

[adrwh]

Hello, i am using Elastic Cloud, 7.8.0, and getting this failure in Cloudwatch logs.

failure in bulk execution:
[0]: index [cloudflare], type [doc], id [null], message [ElasticsearchException[Elasticsearch exception [type=illegal_argument_exception, reason=field [ClientRequestProtocol] not present as part of path [ClientRequestProtocol]]]]

I can see this in the ingest pipelines

{
      "dissect": {
        "field": "ClientRequestProtocol",
        "pattern": "HTTP/%{http.version}"
      }
    },
    {
      "rename": {
        "field": "ClientRequestProtocol",
        "target_field": "cloudflare.client.request.protocol",
        "ignore_missing": true
      }
    }

and this in the index template as a field

"cloudflare.client.request.protocol" : {
            "type": "keyword"
         }

Everything here looks "fine" i think..

Please help.

[adrwh]

Update: I can confirm that the Cloudflare logs do not include the ClientRequestProtocol in the source data.

I removed the fields from the template and daily and weekly ingest pipelines and was able to send a test log entry successfully using the cli.

Is this a bug somewhere?

[lag13]

I believe they need to add the "ignore_missing": true to the dissect processor as well, doing that fixed this issue for me. I personally have seen ClientRequestProtocol come through in my logs which is why I didn't want to remove it from my pipeline.