Discover: Failed to parse query

Elastic Stack Kibana
1

Hi,

I believe that some of my logs make failed parsing process.
Any help is appreciated.
Below is the massage in Kibana Interface.

Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"query_shard_exception","reason":"Failed to parse query [13:36:33]","index_uuid":"PH8G5agqRAyO3kuJImRqog","index":"hamid-tomcat-1-2018.02.27"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"hamid-tomcat-1-2018.02.27","node":"qfBgyrDFRTO5hBNQeLTJ0A","reason":{"type":"query_shard_exception","reason":"Failed to parse query [13:36:33]","index_uuid":"PH8G5agqRAyO3kuJImRqog","index":"hamid-tomcat-1-2018.02.27","caused_by":{"type":"parse_exception","reason":"Cannot parse '13:36:33': Encountered " ":" ": "" at line 1, column 5.\nWas expecting one of:\n \n ...\n ...\n ...\n "+" ...\n "-" ...\n ...\n "(" ...\n "" ...\n "^" ...\n ...\n ...\n <FUZZY_SLOP> ...\n ...\n ...\n ...\n "[" ...\n "{" ...\n ...\n ","caused_by":{"type":"parse_exception","reason":"Encountered " ":" ": "" at line 1, column 5.\nWas expecting one of:\n \n ...\n ...\n ...\n "+" ...\n "-" ...\n ...\n "(" ...\n "" ...\n "^" ...\n ...\n ...\n <FUZZY_SLOP> ...\n ...\n ...\n ...\n "[" ...\n "{" ...\n ...\n "}}}}]},"status":400}
at http://10.176.70.203:5601/bundles/commons.bundle.js?v=16573:1:712135
at Function.Promise.try (http://10.176.70.203:5601/bundles/commons.bundle.js?v=16573:1:503230)
at http://10.176.70.203:5601/bundles/commons.bundle.js?v=16573:1:502618
at Array.map ()
at Function.Promise.map (http://10.176.70.203:5601/bundles/commons.bundle.js?v=16573:1:502576)
at callResponseHandlers (http://10.176.70.203:5601/bundles/commons.bundle.js?v=16573:1:711713)
at http://10.176.70.203:5601/bundles/commons.bundle.js?v=16573:1:701063
at processQueue (http://10.176.70.203:5601/bundles/vendors.bundle.js?v=16573:65:132456)
at http://10.176.70.203:5601/bundles/vendors.bundle.js?v=16573:65:133349
at Scope.$digest (http://10.176.70.203:5601/bundles/vendors.bundle.js?v=16573:65:144239)

2

Not sure if it's not showing up for just me, can you share the query and your kibana version? Are you using kuery or lucene?

3

Hi Jon,

Kibana is V. 6.2.1

My config is :

input {
file {
path => "/path/to/log/tomcat/"
start_position => "beginning"
codec => multiline {
pattern => "^(%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\s%{HOUR}:?%{MINUTE}(?::?%{SECOND}))"
negate => true
what => "previous"
charset => "ISO-8859-1"
}
}
}

filter {
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "tomcat-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}

4

Hi Hamid,

  1. in your conf file path => "/path/to/log/tomcat/"
    have you change this path with actual tomcat folder path.
  2. and also in output can you please try with host like below:
    hosts => "http://localhost:9200"

Thanks,
Seema

5

Hi Seema,
I don't know how the problem has been resolved but it has not been caused by my tomcat path (truncated) nor by the format of the path hosts.
Thank you anyway.
Regards
Hamid

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.