COMBINEDAPACHELOG grok definition creating all fields as type string

hp-adl · January 5, 2017, 3:01am

Hi all,

I'm using the %{COMBINEDAPACHELOG} grok pattern for my Apache logs and parsing to Elasticsearch service (v2.3) in AWS and all the fields are created as string type. I have tried a number of custom patterns and I'm still having the same issue. I also have a custom IIS grok pattern running and it's working fine.

Here's my grok definition:

filter {
  if [type] == "apache-access" {
    grok {
        match => { "message" => "%{COMBINEDAPACHELOG}"}
    }

    geoip {
        source => "clientip"
    }
  }

output {
  if [type] == "apache-access"  {
elasticsearch {
  hosts => ["my-elasticsearch-url:80"]
  index => "apache-%{+YYYY.MM.dd}"
  manage_template => false
}
  }
 stdout {codec => rubydebug}
}

Here's my elasticsearch index/mapping:

Has anyone had the same experience? Any feedback, input or help would be much appreciated!

magnusbaeck · January 6, 2017, 7:00pm

Yes, this is arguably a bug in the grok pattern(s). You should use a mutate filter's convert option to convert e.g. the bytes field to an integer. This issue is relevant:

hp-adl · January 9, 2017, 3:49am

Thanks Magnus, I've created a mutate filter and converted the relevant fields to integer and float and it now works.

Topic		Replies	Views
Mismatch in field type Logstash	7	813	August 19, 2018
Haproxy data, every field is a string Elasticsearch	3	1651	July 5, 2017
Elasticsearch ignores type of apache log Elasticsearch	2	455	January 25, 2020
COMBINEDAPACHELOG grok definition not creating the expected fields Logstash	3	1042	April 21, 2022
Grok Filter Parsing Failure Logstash	6	2593	March 23, 2017

COMBINEDAPACHELOG grok definition creating all fields as type string

Related topics