Hi experts.
I use scripted field with my filebeat at field sometime have value sometime no so my scripted is:
if (!doc['Time'].empty) {
return doc['Time'].date.hourOfDay + 7;
}
after that my filebeat-* index not working and it throw Courier Fetch: X of X shards failed
Please help me with this
There should be something in the Elasticsearch logs as well at this time?
Hi @warkolm
Sr for late reply
this is my elasticsearch logs
at org.elasticsearch.search.SearchService.executeFetchPhase(SearchService.java:422) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.action.search.SearchTransportService$12.messageReceived(SearchTransportService.java:393) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.action.search.SearchTransportService$12.messageReceived(SearchTransportService.java:390) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.transport.TransportService$7.doRun(TransportService.java:644) [elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:638) [elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.5.2.jar:5.5.2] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_141] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_141] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141] Caused by: java.lang.IllegalArgumentException: Illegal list shortcut value [date]. at org.elasticsearch.painless.Def.lookupGetter(Def.java:454) ~[?:?] at org.elasticsearch.painless.DefBootstrap$PIC.lookup(DefBootstrap.java:149) ~[?:?] at org.elasticsearch.painless.DefBootstrap$PIC.fallback(DefBootstrap.java:203) ~[?:?] at org.elasticsearch.painless.PainlessScript$Script.execute(if (!doc['Time'].empty) { return doc['Time'].date.hourOfDay + 7; } return null;:45) ~[?:?] at org.elasticsearch.painless.ScriptImpl.run(ScriptImpl.java:133) ~[?:?] at org.elasticsearch.search.fetch.subphase.ScriptFieldsFetchSubPhase.hitExecute(ScriptFieldsFetchSubPhase.java:51) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.search.fetch.FetchPhase.execute(FetchPhase.java:164) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.search.SearchService.executeFetchPhase(SearchService.java:422) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.action.search.SearchTransportService$12.messageReceived(SearchTransportService.java:393) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.action.search.SearchTransportService$12.messageReceived(SearchTransportService.java:390) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.transport.TransportService$7.doRun(TransportService.java:644) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:638) ~[elasticsearch-5.5.2.jar:5.5.2] at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.5.2.jar:5.5.2] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_141] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_141] at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_141]
Hi @warkolm
I think that error come from the logstash filter, because when i add if condition with tag, the file Time of filebeat become string type, not date type. How can i keep the data type when use if condition.
Here is my logstash filter
if "node" in [tags] {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:Time} %{WORD:Method} %{NUMBER:Http_stt} %{NUMBER:ResTime}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
remove_field => "message"
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}It's hard to say without seeing the full error.
I said that because i check the field Time filtered type is String so the paintless scripts not work but when i use paintless script for @timestamp, it's working without any error
Oh, then yes that makes sense.
@warkolm so can you tell my why when i added the [tags] condition, all my field become string type? even the grokfilter is %{TIMESTAMP_ISO8601}
Thanks
Probably because you are doing a date filter on a different field, syslog_timestamp and not Time as per the grok.
Here is my grokfilter
if "node" in [tags] {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:Time} %{WORD:Method} %{NUMBER:Http_stt} %{NUMBER:ResTime}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
remove_field => "message"
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
but the type of Time field is string. It's because of the line ?
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
Thanks
Yeah, but syslog_timestamp doesn't exist in your grok.
Hi @warkolm
so instead of using
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
i should use
date {
match => [ "Time", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
? or just remove the date filter
Thanks
Just update the date filter and it should be better.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.