COMBINEDAPACHELOG grok definition creating all fields as type string

hp-adl · January 5, 2017, 3:01am

Hi all,

I'm using the %{COMBINEDAPACHELOG} grok pattern for my Apache logs and parsing to Elasticsearch service (v2.3) in AWS and all the fields are created as string type. I have tried a number of custom patterns and I'm still having the same issue. I also have a custom IIS grok pattern running and it's working fine.

Here's my grok definition:

filter {
  if [type] == "apache-access" {
    grok {
        match => { "message" => "%{COMBINEDAPACHELOG}"}
    }

    geoip {
        source => "clientip"
    }
  }

output {
  if [type] == "apache-access"  {
elasticsearch {
  hosts => ["my-elasticsearch-url:80"]
  index => "apache-%{+YYYY.MM.dd}"
  manage_template => false
}
  }
 stdout {codec => rubydebug}
}

Here's my elasticsearch index/mapping:

Has anyone had the same experience? Any feedback, input or help would be much appreciated!

magnusbaeck · January 6, 2017, 7:00pm

Yes, this is arguably a bug in the grok pattern(s). You should use a mutate filter's convert option to convert e.g. the bytes field to an integer. This issue is relevant:

hp-adl · January 9, 2017, 3:49am

Thanks Magnus, I've created a mutate filter and converted the relevant fields to integer and float and it now works.

system · February 6, 2017, 3:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I set a field type using grok? Logstash	4	20486	July 6, 2017
Mismatch in field type Logstash	7	706	August 19, 2018
Unable to change type string to int (logstash -> es) Elasticsearch	2	669	July 13, 2018
Elasticsearch ignores type of apache log Elasticsearch	2	429	January 25, 2020
How to convert datatype field from "string" to "integer" with mutate filter? Logstash	2	1326	September 4, 2018

COMBINEDAPACHELOG grok definition creating all fields as type string

Related topics