Discover: "field" is a required parameter

Elastic Stack Kibana
1

Hello,

i want to see my logs, but i get everytime this messages:

2017-06-20 20_58_31-10.0.99.187 - Remotedesktopverbindung.png1898×304 34.1 KB

Perhaps my filter clearifies it?

filter {
      if [type] == "cisco-asa" {
         grok {
          match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
        }

         syslog_pri { }

         date {
          match => ["timestamp",
            "MMM dd HH:mm:ss",
            "MMM  d HH:mm:ss",
            "MMM dd yyyy HH:mm:ss",
            "MMM  d yyyy HH:mm:ss"
          ]
          timezone => "Europe/Berlin"
        }

         if "_grokparsefailure" not in [tags] {
          mutate {
            rename => ["cisco_message", "message"]
            remove_field => ["timestamp"]
          }
        }

         grok {
          match => [
            "message", "%{CISCOFW106001}",
            "message", "%{CISCOFW106006_106007_106010}",
            "message", "%{CISCOFW106014}",
            "message", "%{CISCOFW106015}",
            "message", "%{CISCOFW106021}",
            "message", "%{CISCOFW106023}",
            "message", "%{CISCOFW106100}",
            "message", "%{CISCOFW110002}",
            "message", "%{CISCOFW302010}",
            "message", "%{CISCOFW302013_302014_302015_302016}",
            "message", "%{CISCOFW302020_302021}",
            "message", "%{CISCOFW305011}",
            "message", "%{CISCOFW313001_313004_313008}",
            "message", "%{CISCOFW313005}",
            "message", "%{CISCOFW402117}",
            "message", "%{CISCOFW402119}",
            "message", "%{CISCOFW419001}",
            "message", "%{CISCOFW419002}",
            "message", "%{CISCOFW500004}",
            "message", "%{CISCOFW602303_602304}",
            "message", "%{CISCOFW710001_710002_710003_710005_710006}",
            "message", "%{CISCOFW713172}",
            "message", "%{CISCOFW733100}"
          ]
        }
      }
    }

I hope anyone has a idea to fix it. :slight_smile:

Best Regards

Daniel

2

Hi Daniel,

what happens if you click ok on the error? Also can you go to management and click refresh on this index pattern's page?

Thanks,
Bhavya

3

Hey Bhavya,

nothing happens if i click on one of the failure banners.

I've already removed and recreated all stored index patterns in Kibana.:confused:

And i've already stopped logstash deleted all elasticsearch (Logstash and Kibana) indices and started logstash again which collects the syslog messages.

If i click on the one selected predefined field _source then i get this message:

Best Regards

Daniel

4

Has nobody a idea?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.