Can't create indices

HuanW · March 29, 2019, 8:14am

Hi,
The question is one of my input setting doesn't work.
The way I check is I go to Kibana and check on the index management page, and I didn't see the indice.

The input that have problem is type=>"anotherApplog"
config file as below:

input {
file {type=>"iislog" path=>"\\testNumber8.testPath/iislog/*/*.log" start_position=>"beginning"}
file {type=>"applog" path=>"\\testNumber05.testPath/log/*/*-error.log" start_position=>"beginning"}
file {type=>"anotherApplog" path=>"\\testNumber05.testPath/log/projectName/*-debug.log" start_position=>"beginning"}
}

filter {
	if [type] == "iislog" {
		grok {
			match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:s-sitename} %{IPORHOST:computername} %{IP:s-ip} %{WORD:cs_method} %{URIPATH:cs_uri_stem} %{NOTSPACE:cs_uri_query} %{NUMBER:s_port} %{NOTSPACE:cs_username} %{IPORHOST:c_ip} %{NOTSPACE:cs_version} %{NOTSPACE:cs_user_agent} %{NOTSPACE:cs_Cookie} (?<cs_Referer>(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?(?<cs_Referer_domain>[^:\/?\n]+).+|-) %{NOTSPACE:cs_host} %{NUMBER:sc_status} %{NUMBER:sc_substatus} %{NUMBER:sc_win32_status} %{NUMBER:sc_bytes} %{NUMBER:cs_bytes} %{NUMBER:time_taken}"]
		}
	}
	else if [type] == "anotherApplog" {
		multiline {
			negate => true
			pattern => "^\[DEBUG\]"	
			what => "previous"
		}
		grok {
			//do something
		}
	}
	else{
		multiline {
			negate => true
			pattern => "^\[ERROR\]"	
			what => "previous"
		}
		grok {
			match => ["message", "\[%{LOGLEVEL:log_level}\ ?\] %{TIMESTAMP_ISO8601:server_time} \- %{GREEDYDATA:app_log}"]
		}
	}
	
	grok {
		match => { path => "%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"}
	}	
	
	if [type] == "iislog" {
		if [message] =~ "^#" {
			drop {}
		}
		
		date {
			match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
			timezone => "Etc/UTC"
			target => "@timestamp"
		}	
	
		geoip {
			source => "clientip"
			target => "geoip"
			database => "F:/GeoIP2-City.mmdb"
			add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
			add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
		}
	
		useragent {
			source=> "useragent"
			prefix=> "browser"
		}
		
        mutate {
            convert => [ "[time_taken]","integer" ]
            convert => [ "[sc_bytes]", "integer" ]
            convert => [ "[cs_bytes]", "integer" ]
            convert => [ "[geoip][location]", "float" ]
        }
		
		mutate
		{
			remove_field => ["message"]
		}
	}
	
	date {
      match => [ "server_time","YYYY-MM-dd HH:mm:ss,SSS" ]
      timezone => "Etc/GMT+4"
      target => "@timestamp"
    }
}

output {
	elasticsearch {
		hosts => ["localhost:9200"]
		index => "%{type}-%{+YYYY.MM.dd}"
	}
}

HuanW · April 19, 2019, 8:57am

Solved
The root cause is because the type can not have capital

system · May 17, 2019, 9:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.