Dissect Processor not working correctly in elastic search

saket_gupta · May 21, 2020, 12:38pm

Hi Team,

I am trying to parse logs using dissect processor in elastic search . However I dont get the appropriate output. When I run the log through logstash using dissect filter, it works fine.

`

PUT _ingest/pipeline/my_pipeline_id_saket
{
"description" : "describe pipeline",
"processors" : [
{
"dissect": {
"field": "message",
"pattern": "%{log_TraceId}, %{log_SpanId}, %{log_UserId}, [%{ip},"
}
}
]

}

POST test/_doc/3?pipeline=my_pipeline_id_saket
{
"message" : "b5721cae-573f-4da5-90dd-2f1c7783b21d, b5721cae-573f-4da5-90dd-2f1c7783b21d, , [0:0:0:0:0:0:0:1,"

}

GET test/_doc/3

`

This gives the output :-

"log_TraceId" : "b5721cae-573f-4da5-90dd-2f1c7783b21d", "log_UserId" : "", "ip" : "[0:0:0:0:0:0:0:1", "log_SpanId" : "b5721cae-573f-4da5-90dd-2f1c7783b21d"
However the output in logstash (correct & expected):-
{ "ip": "0:0:0:0:0:0:0:1", "log_SpanId": "b5721cae-573f-4da5-90dd-2f1c7783b21d", "log_TraceId": "b5721cae-573f-4da5-90dd-2f1c7783b21d", "log_UserId": "" }

The Ip address does not get parsed correctly and has a '[' added to it which is a delimiter.

Thanks
Saket

Christian_Dahlqvist · May 22, 2020, 3:59am

If I recall correctly I think the dissect pattern need to end with a match clause, so I would recommend adding and empty one at the end and see if that makes a difference.

saket_gupta · May 22, 2020, 4:19am

Thanks for your reply. Sorry I could not understand " adding and empty one at the end and see if that makes a difference.". Could you please give an example ?

Christian_Dahlqvist · May 22, 2020, 4:26am

Was on my mobile so could not provide an example. Meant something like this:

"pattern": "%{log_TraceId}, %{log_SpanId}, %{log_UserId}, [%{ip},%{}"

saket_gupta · May 22, 2020, 4:30am

THanks for your reply. I just did try that unfortunately I still get a '[' in my ip

Christian_Dahlqvist · May 22, 2020, 4:35am

If the same config in Logstash produces a different result it sounds like a bug.

saket_gupta · May 22, 2020, 4:36am

Yes it does..!! Thanks for your reply.

saket_gupta · May 26, 2020, 4:21am

Hi,

Humble Request, if anyone from Elastic Team can look into this ?

Thanks
Saket

dadoonet · May 26, 2020, 7:20am

If it's a bug, could you open an issue in elasticsearch GitHub repository?

You should link to this thread from the issue.

system · June 23, 2020, 7:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok help not getting data Logstash	3	112	June 2, 2024
Dissect filter is not dissecting properly Logstash	2	2293	February 1, 2018
Logstash ElasticSearch Filter doesn't work with dissect fields or IP ranges Logstash	0	92	June 26, 2024
Difference between dissect filter and dissect processor Logstash	2	373	October 11, 2019
Logstash filtr strange behavior Logstash	17	595	September 8, 2020

Dissect Processor not working correctly in elastic search

Related topics