Hi guys,
Today, i working to include query's templates into my logstash pipelines. In this use case, i need search by two factors, an especific field and only get last X hours (around 6 hours). For this, i wrote a Compound DSL Query with boolean characteristic, that works succesfully on Kibana Dev Tools, but when include that into query template in logstash and reload, fail and show the following message:
[2022-07-05T22:06:54,956][INFO ][logstash.javapipeline ][dkt-ecm.conf] Pipeline terminated {"pipeline.id"=>"dkt-ecm.conf"}
[2022-07-05T22:06:54,988][ERROR][logstash.agent ] Failed to execute action {:id=>:"dkt-ecm.conf", :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<dkt-ecm.conf>, action_result: false", :backtrace=>nil}
This is a part of context pipeline:
elasticsearch {
hosts => ["es02"]
ca_file => '/usr/share/logstash/config/certs/ca.crt'
ssl => true
user => '**************'
password => '**************'
index => "*********"
query_template => "/usr/share/logstash/querytemplate/srcip_ls.json"
fields => {
"host_saved" => "srcHost_ELK"
}
}
and this is the query template
{
"query": {
"bool" : {
"must" : {
"term" : { "ip_saved" : "%{srcip_ls}" }
},
"filter": {
"range": { "@timestamp" : { "gte" : "now-6h/h" }}
}
}
}
}
Please help me.