5.1.1 custom format isn't supported


I subscribe to a 14days trial to move from my test env (5.1.1) to your could base solution.
I load the elasticsearch thru Logstash with my IIS server logs. When I look into the discover, I get this message:

>     Discover: [unsupported_operation_exception] custom format isn't supported
Error: [unsupported_operation_exception] custom format isn't supported
    at respond (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/kibana.bundle.js?v=14566:14:2082)
    at checkRespForFailure (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/kibana.bundle.js?v=14566:14:1310)
    at https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/kibana.bundle.js?v=14566:1:23441
    at processQueue (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:38:23621)
    at https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:38:23888
    at Scope.$eval (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:39:4619)
    at Scope.$digest (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:39:2359)
    at Scope.$apply (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:39:5037)
    at done (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:37:25027)
    at completeRequest (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:37:28702)

The logstash conf is:

input {
beats {
port => 5044
type => "log"

filter {

#ignore log comments
if [message] =~ "^#" {
drop {}

grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{IP:sourceip} %{WORD:method} %{URIPATH:uristem} (?:-|%{NOTSPACE:uriquery}) %{POSINT:port} (?:-|%{NOTSPACE:username}) %{IP:clientip} %{NOTSPACE:useragent} %{NUMBER:status} %{NUMBER:substatus} %{NUMBER:win32status} %{NUMBER:timetaken}"]

#Set the Event Timesteamp from the log
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"

useragent {
source=> "useragent"
prefix=> "browser"

mutate {
remove_field => [ "log_timestamp"]

output {
elasticsearch {
hosts => "xxxx:9200"
user => "xxxx"
password => "xxxx"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"

Everything work on my own server why not on the cloud service.

Could you help ?

Looks like that error is coming from Elasticsearch, but it's possible it's caused by something that Kibana is try to do. Seems like it's been happening for a while as well, all the way back to 4.4/2.2: Custom format isn't supported

I'm not sure why it would work locally for you but not in Cloud. Can you share any customizations you have in your config/elasticsearch.yml and config/kibana.yml files in your local installation?

It's also possible that this is caused by a mapping issue. Perhaps one of the fields you've told Kibana is a date isn't mapped as a date in Elasticsearch. If ES thinks it's, say, a number, then that could explain the "custom format" error message.

Can you share your field mappings from Elasticsearch?

Hi Joe, thank you for the answer.

I've added a new index pattern for the IIS logs instead of the wildcard to get all data. This workaround the issue. (the wildcard work fine the my dev).

I still running with the default configuration file for both. The only difference could be that my dev platform is running on windows

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.