Can't create indices

HuanW · March 29, 2019, 8:14am

Hi,
The question is one of my input setting doesn't work.
The way I check is I go to Kibana and check on the index management page, and I didn't see the indice.

The input that have problem is type=>"anotherApplog"
config file as below:

input {
file {type=>"iislog" path=>"\\testNumber8.testPath/iislog/*/*.log" start_position=>"beginning"}
file {type=>"applog" path=>"\\testNumber05.testPath/log/*/*-error.log" start_position=>"beginning"}
file {type=>"anotherApplog" path=>"\\testNumber05.testPath/log/projectName/*-debug.log" start_position=>"beginning"}
}

filter {
	if [type] == "iislog" {
		grok {
			match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:s-sitename} %{IPORHOST:computername} %{IP:s-ip} %{WORD:cs_method} %{URIPATH:cs_uri_stem} %{NOTSPACE:cs_uri_query} %{NUMBER:s_port} %{NOTSPACE:cs_username} %{IPORHOST:c_ip} %{NOTSPACE:cs_version} %{NOTSPACE:cs_user_agent} %{NOTSPACE:cs_Cookie} (?<cs_Referer>(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?(?<cs_Referer_domain>[^:\/?\n]+).+|-) %{NOTSPACE:cs_host} %{NUMBER:sc_status} %{NUMBER:sc_substatus} %{NUMBER:sc_win32_status} %{NUMBER:sc_bytes} %{NUMBER:cs_bytes} %{NUMBER:time_taken}"]
		}
	}
	else if [type] == "anotherApplog" {
		multiline {
			negate => true
			pattern => "^\[DEBUG\]"	
			what => "previous"
		}
		grok {
			//do something
		}
	}
	else{
		multiline {
			negate => true
			pattern => "^\[ERROR\]"	
			what => "previous"
		}
		grok {
			match => ["message", "\[%{LOGLEVEL:log_level}\ ?\] %{TIMESTAMP_ISO8601:server_time} \- %{GREEDYDATA:app_log}"]
		}
	}
	
	grok {
		match => { path => "%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"}
	}	
	
	if [type] == "iislog" {
		if [message] =~ "^#" {
			drop {}
		}
		
		date {
			match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
			timezone => "Etc/UTC"
			target => "@timestamp"
		}	
	
		geoip {
			source => "clientip"
			target => "geoip"
			database => "F:/GeoIP2-City.mmdb"
			add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
			add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
		}
	
		useragent {
			source=> "useragent"
			prefix=> "browser"
		}
		
        mutate {
            convert => [ "[time_taken]","integer" ]
            convert => [ "[sc_bytes]", "integer" ]
            convert => [ "[cs_bytes]", "integer" ]
            convert => [ "[geoip][location]", "float" ]
        }
		
		mutate
		{
			remove_field => ["message"]
		}
	}
	
	date {
      match => [ "server_time","YYYY-MM-dd HH:mm:ss,SSS" ]
      timezone => "Etc/GMT+4"
      target => "@timestamp"
    }
}

output {
	elasticsearch {
		hosts => ["localhost:9200"]
		index => "%{type}-%{+YYYY.MM.dd}"
	}
}

HuanW · April 19, 2019, 8:57am

Solved
The root cause is because the type can not have capital

system · May 17, 2019, 9:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Below logstash file is not creating the index with the name i specified Logstash	7	536	July 6, 2017
Can not create an index Logstash	5	292	January 6, 2021
Index not creating Logstash	18	844	September 23, 2021
Not able to Create Index in Kibana Kibana	5	818	May 3, 2017
Indexing in Kibana Kibana	12	1066	September 6, 2017

Can't create indices

Related topics