Csv character limitation per row

bobbytan · June 11, 2018, 8:30am

Hello,

I am new to the ELK,i have noticed that certain rows of my CSV file that exceed about 250 characters are having issues being visualized in kibana after importing using logstash.

Is there a way to solve this?

magnusbaeck · June 11, 2018, 8:34am

What, exactly, do you mean by "having issues being visualized"?

bobbytan · June 11, 2018, 9:08am

thank you for the quick response!

The image is an example.
As you can see there are only 2 visible rows.I have imported an csv file consisting of 1 column and 3 rows of data using logstash.The row that is not visible consists of about 280 characters in the csv file.Only after reducing the amount of characters in that particular row would be data be visible in kibana.

How do i solve this?

magnusbaeck · June 11, 2018, 10:02am

Start by taking Elasticsearch out of the equation and use a simple stdout { codec => rubydebug } output. Are you getting all expected events?

bobbytan · June 12, 2018, 2:01am

yes im getting all expected events in the shell running logstash

Badger · June 12, 2018, 3:16am

Can you show us the raw input (especially the longest line) and configuration you are using to consume it?

bobbytan · June 12, 2018, 4:27am

raw input longest line:

WebContainer : 4 - 2018-01-10 18:00:00.168 INFO c.i.g.s.s.e.l.SPLogger:63 - com.ida.gov.sg.sp.eai.interceptor.SingpassInterceptor | | UnAuthenticated URL list | [authnlogin, common, eservicelogout, tamoperationhandler, eservloginpage, loginpage, gettasconnection, errorpage]

config file:

input {

file {
path => "C:data\sui_testing.csv"
start_position =>"beginning"
sincedb_path => "/dev/null"
}
}

filter{
csv{
separator => ","
columns => [ "logs"]

}
}

output{
elasticsearch {
hosts => ["localhost:9200"]
index=> "logs_testing"

}

Badger · June 12, 2018, 5:24am

I think this is related to the fact that message.keyword does not created for documents longer than 256 characters, but someone who actually understands anything about elasticsearch would be in a better position to explain that. I just do logstash. Magnus?

magnusbaeck · June 12, 2018, 5:57am

It's most likely the ignore_above option in the mapping.

github.com

logstash-plugins/logstash-output-elasticsearch/blob/v9.2.0/lib/logstash/outputs/elasticsearch/elasticsearch-template-es6x.json#L19-L28


"string_fields" : {
  "match" : "*",
  "match_mapping_type" : "string",
  "mapping" : {
    "type" : "text", "norms" : false,
    "fields" : {
      "keyword" : { "type": "keyword", "ignore_above": 256 }
    }
  }
}

It's not clear why the OP wants to aggregate over the whole message field in the first place. That's probably a mistake, and it's possible that the problem disappears if the line is correctly parsed into fields.

bobbytan · June 12, 2018, 6:56am

ok thank you for the feedback

bobbytan · June 12, 2018, 7:15am

thanks for the solution.Just a follow up to this,
Is it possible to use logstash to parse a textfile consisting a large of number logs?
if so,should the parsing be done within the configuration file?

magnusbaeck · June 12, 2018, 8:02am

Is it possible to use logstash to parse a textfile consisting a large of number logs?

Yes, of course.

if so,should the parsing be done within the configuration file?

You could use an Elasticsearch ingest pipeline, but apart from that I'm not sure where the parsing would otherwise take place.

system · July 10, 2018, 8:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.