Beats pipeline.json not received correctly in elastisearch/kibana

schultz · September 15, 2020, 8:00am

Versions:

Filebeat v7.9.1
Elastisearch v 7.9.1
Kibana v7.9.1

On windows.

I have a pipeline.json file that describes the ingest part of my module

{
"description": "Pipeline for parsing aaa server logs.",
"processors": [
    {
        "grok": {
            "field": "message",
            "patterns": [
                "^%{NUMBER:aaa.server.processid}%{SPACE}%{TIMESTAMP_ISO8601:aaa.server.timestamp}%{SPACE}%{LOGLEVEL:aaa.server.severity}%{SPACE}:%{SPACE}(?:\\[%{IPORHOST:aaa.server.shortcategory}\\])?%{SPACE}(?:\\[%{DATA:aaa.server.threadid}\\])?%{GREEDYDATA:aaa.server.message}"
            ]
        },          
        "date": {
            "field": "aaa.server.timestamp",
            "formats": ["yyyy-MM-dd HH:mm:ss,SSS","ISO8601"],
            "on_failure": [{"append": {"field": "date.error.message", "value": "{{ _ingest.on_failure_message }}"}}]
        }
    }
],
"on_failure": [{
        "set": {
            "field" : "error.message",
            "value" : "{{ _ingest.on_failure_message }}"
        }
    }
]
}

When i start filebeat this is transferred to elastisearch/kibana and if i click the link filebeat-7.9.1-aaa-server-pipeline on "Ingest Node Pipelines" i see the correct json on the right handside of the screen. But when i press edit on the pipeline, the whole date part is gone. The data ingested is not handled correctly with regards to the date part. @timestamp is not updated as described in the json.

manually adding a date processor, as described in the json file fixes the parsing problem.

mtojek · September 15, 2020, 11:26am

Try to review a similar file: https://github.com/elastic/beats/blob/master/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml

Most likely you have to do a similar transformation as for the raw_date field.

schultz · September 15, 2020, 12:45pm

Is not that what this does? ref: date-processor it states that the default for target_field is @timestamp.

    "date": {
       "field": "aaa.server.timestamp",
        "formats": ["yyyy-MM-dd HH:mm:ss,SSS","ISO8601"],
        "on_failure": [{"append": {"field": "date.error.message", "value": "{{ _ingest.on_failure_message }}"}}]
    }

This is how the pipeline looks, seems fine...

But when i edit it, this is what i get:

The date part is nowhere to be found.

system · October 13, 2020, 2:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ingest pipeline is not being used in the events sent by filebeat Elasticsearch	1	437	March 20, 2018
Cannot seem to get ingest pipelines to work, please help! Elasticsearch	12	973	April 6, 2021
Some questions about Filebeat that are not clear in the docs Beats filebeat	6	633	July 12, 2019
Filebeat Apache Module Ingest Pipeline Beats filebeat	1	586	October 18, 2019
Filebeat not sending logs to elasticsearch when pipeline is configured in filebeat.yml Beats filebeat	2	841	February 20, 2020

Beats pipeline.json not received correctly in elastisearch/kibana

Related topics