Kinesis Firehose -> Transform Lambda -> OpenSearch Service: Kinesis Firehose does not support ElasticSearch Bulk API commands inside the Firehose record

We are running an opentelemetry collector that exports the OTEL traces to Kinesis
A Kinesis Firehose Stream transforms the records with a lambda and saves them to the OpenSearch Service destination
The lambda is transforming a single Kinesis record into many OpenSearch documents by setting the index and document ID in the returned JSON body for the record data.

This kind of worked at first. The destination error logs were flooded with {"type":"mapper_parsing_exception","reason":"failed to parse, document is empty"} 400 responses from OpenSearch, but the documents got saved into OpenSearch. Now we've started to see a new error, which increased in frequency to the point we see this error every time in our production pipeline:

Kinesis Firehose does not support ElasticSearch Bulk API commands inside the Firehose record (code: ES.MalformedData)

I've had no luck googling this, but if I understand it correctly, this error means that Kinesis is complaining about the { "index": { "_index": "foo", "_id": "123" } } lines we've added above each document in the record data returned by the lambda transformation. I've noticed the index rotation is not working due to our hard coded index, and Kinesis seems confused about the records delivered to OpenSearch (it says none have been delivered but the index has 250 million documents so far). Buffer settings seem unreliable, as we turning what Kinesis thinks is a single record into potentially thousands of records.

The odd things is data still seems to be making its way into OpenSearch most of the time, but seeing these errors and no way that I know of to resolve them has me hesitant (to say the least) about relying on this solution. From what I can tell in answers such as this one or this one, the core of the issue is we are doing something Kinesis does not support: transforming a single record into multiple records.

It should also be noted, we need to set the document ID manually because we need to rely on upsert logic in some cases, such as the collector sending us the same span for the same trace more than once.

When searching for answers on this, I came across Data Prepper which appears to be an OpenSearch/AWS native solution for our exact use case. At this point I think the only reliable/feasible option is to change to Data Prepper, but I want to make sure I'm not missing something simple first.

Has anyone encountered this error before, or can someone just tell me what it means? Is there a viable way to make Kinesis do what we want, or can we even rely on Kinesis to keep working with how we are transforming the records?

Topics

Analytics Serverless

Relevant content

Kinesis Firehose transformation json output
Andrea Campolonghi
asked 4 months ago
Multiple Kinesis Firehose Destinations
Accepted Answer
DavidG_AWS
asked 4 years ago
Kinesis data Firehose Data Transformation and Compression
Accepted Answer
Peter Eskandar
asked a year ago
Does Firehose support CRUD operations on OpenSearch
AWS-User-3372660
asked 2 years ago
Why do I experience a data delivery failure with Kinesis Data Firehose that has an OpenSearch Service domain as a destination?
AWS OFFICIALUpdated 6 months ago
How do I set up cross-account streaming from Kinesis Data Firehose to Amazon OpenSearch Service?
AWS OFFICIALUpdated 5 months ago
How do I push VPC flow logs to Splunk using Amazon Kinesis Firehose?
AWS OFFICIALUpdated a year ago
How can I troubleshoot Lambda Kinesis Firehose integration issues?
AWS OFFICIALUpdated a year ago
Amazon Kinesis Video Streams with WebRTC operation returned status code: 0x5600000f
EXPERT
golderic
published a year ago
Amazon Kinesis Video Streams with WebRTC operation returned status codes: 0x5a000003, 0x5a000005, 0x5a000012
EXPERT
golderic
published a year ago