5.1.1 custom format isn't supported

(Alexis brehain) #1


I subscribe to a 14days trial to move from my test env (5.1.1) to your could base solution.
I load the elasticsearch thru Logstash with my IIS server logs. When I look into the discover, I get this message:

>     Discover: [unsupported_operation_exception] custom format isn't supported
Error: [unsupported_operation_exception] custom format isn't supported
    at respond (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/kibana.bundle.js?v=14566:14:2082)
    at checkRespForFailure (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/kibana.bundle.js?v=14566:14:1310)
    at https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/kibana.bundle.js?v=14566:1:23441
    at processQueue (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:38:23621)
    at https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:38:23888
    at Scope.$eval (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:39:4619)
    at Scope.$digest (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:39:2359)
    at Scope.$apply (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:39:5037)
    at done (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:37:25027)
    at completeRequest (https://079a55c5c95666ada3fba5517ae47066.eu-west-1.aws.found.io/bundles/commons.bundle.js?v=14566:37:28702)

The logstash conf is:

input {
beats {
port => 5044
type => "log"

filter {

#ignore log comments
if [message] =~ "^#" {
drop {}

grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{IP:sourceip} %{WORD:method} %{URIPATH:uristem} (?:-|%{NOTSPACE:uriquery}) %{POSINT:port} (?:-|%{NOTSPACE:username}) %{IP:clientip} %{NOTSPACE:useragent} %{NUMBER:status} %{NUMBER:substatus} %{NUMBER:win32status} %{NUMBER:timetaken}"]

#Set the Event Timesteamp from the log
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"

useragent {
source=> "useragent"
prefix=> "browser"

mutate {
remove_field => [ "log_timestamp"]

output {
elasticsearch {
hosts => "xxxx:9200"
user => "xxxx"
password => "xxxx"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"

Everything work on my own server why not on the cloud service.

Could you help ?

(Joe Fleming) #2

Looks like that error is coming from Elasticsearch, but it's possible it's caused by something that Kibana is try to do. Seems like it's been happening for a while as well, all the way back to 4.4/2.2: Custom format isn't supported

I'm not sure why it would work locally for you but not in Cloud. Can you share any customizations you have in your config/elasticsearch.yml and config/kibana.yml files in your local installation?

(Joe Fleming) #3

It's also possible that this is caused by a mapping issue. Perhaps one of the fields you've told Kibana is a date isn't mapped as a date in Elasticsearch. If ES thinks it's, say, a number, then that could explain the "custom format" error message.

Can you share your field mappings from Elasticsearch?

(Alexis brehain) #4

Hi Joe, thank you for the answer.

I've added a new index pattern for the IIS logs instead of the wildcard to get all data. This workaround the issue. (the wildcard work fine the my dev).

I still running with the default configuration file for both. The only difference could be that my dev platform is running on windows

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.