Discover: "field" is a required parameter

DanMa · June 20, 2017, 7:03pm

Hello,

i want to see my logs, but i get everytime this messages:

Perhaps my filter clearifies it?

filter {
      if [type] == "cisco-asa" {
         grok {
          match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
        }

         syslog_pri { }

         date {
          match => ["timestamp",
            "MMM dd HH:mm:ss",
            "MMM  d HH:mm:ss",
            "MMM dd yyyy HH:mm:ss",
            "MMM  d yyyy HH:mm:ss"
          ]
          timezone => "Europe/Berlin"
        }

         if "_grokparsefailure" not in [tags] {
          mutate {
            rename => ["cisco_message", "message"]
            remove_field => ["timestamp"]
          }
        }

         grok {
          match => [
            "message", "%{CISCOFW106001}",
            "message", "%{CISCOFW106006_106007_106010}",
            "message", "%{CISCOFW106014}",
            "message", "%{CISCOFW106015}",
            "message", "%{CISCOFW106021}",
            "message", "%{CISCOFW106023}",
            "message", "%{CISCOFW106100}",
            "message", "%{CISCOFW110002}",
            "message", "%{CISCOFW302010}",
            "message", "%{CISCOFW302013_302014_302015_302016}",
            "message", "%{CISCOFW302020_302021}",
            "message", "%{CISCOFW305011}",
            "message", "%{CISCOFW313001_313004_313008}",
            "message", "%{CISCOFW313005}",
            "message", "%{CISCOFW402117}",
            "message", "%{CISCOFW402119}",
            "message", "%{CISCOFW419001}",
            "message", "%{CISCOFW419002}",
            "message", "%{CISCOFW500004}",
            "message", "%{CISCOFW602303_602304}",
            "message", "%{CISCOFW710001_710002_710003_710005_710006}",
            "message", "%{CISCOFW713172}",
            "message", "%{CISCOFW733100}"
          ]
        }
      }
    }

I hope anyone has a idea to fix it.

Best Regards

Daniel

bhavyarm · June 20, 2017, 8:02pm

Hi Daniel,

what happens if you click ok on the error? Also can you go to management and click refresh on this index pattern's page?

Thanks,
Bhavya

DanMa · June 21, 2017, 5:09am

Hey Bhavya,

nothing happens if i click on one of the failure banners.

I've already removed and recreated all stored index patterns in Kibana.

And i've already stopped logstash deleted all elasticsearch (Logstash and Kibana) indices and started logstash again which collects the syslog messages.

If i click on the one selected predefined field _source then i get this message:

Best Regards

Daniel

DanMa · June 22, 2017, 7:24am

Has nobody a idea?

system · July 20, 2017, 7:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.