Hi,
I am using Elasicsearch filter plugin to check the current event with the previous events.
My elasticsearch filter plugin looks like this
elasticsearch {
hosts => "xx.xx.xx.xx"
index => "all-interface-status"
query => '{"_source":["ControllerName","parsed_interfaces.brief.name","parsed_interfaces.brief.host-inf","parsed_interfaces.detail.hw-stats.crc-error","@timestamp"],
"query":{
"bool":
{"must":
[{"match":{"ControllerName":"%{controller}"}},
{"match":{"parsed_interfaces.brief.name":"%{interface}"}},
{"match":{"parsed_interfaces.brief.host-inf":"%{port_number}"}}],
"filter":[
{"range":{"@timestamp":{"gte":"now-5m","lte": "now"}}}]}}}'
}
And I am getting the below error.
Failed to query elasticsearch for previous event {:index=>"all-interface-status", :error=>"[400]
{\"error\":{\"root_cause\":[{\"type\":\"query_shard_exception\",\"reason\":\"Failed to parse query
[{\\\"_source\\\":
[\\\"ControllerName\\\",\\\"parsed_interfaces.brief.name\\\",\\\"parsed_interfaces.brief.host-inf\\\",\\\"parsed_interfaces.detail.hw-stats.crc-error\\\",\\\"@timestamp\\\"],
\\\"query\\\":{\\\"bool\\\":{\\\"must\\\":
[{\\\"match\\\":{\\\"ControllerName\\\":\\\"POD3-Controller1\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.name\\\":\\\"vni-0/0\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.host-inf\\\":\\\"eth1\\\"}}],
\\\"filter\\\":
[{\\\"range\\\":{\\\"@timestamp\\\":{\\\"gte\\\":\\\"now-5m\\\",\\\"lte\\\": \\\"now\\\"}}}]}}}]\",
\"index_uuid\":\"DxGqpGNJQqOvoJZOX9Amng\",\"index\":\"all-interface-status\"}],
\"type\":\"search_phase_execution_exception\",\"reason\":\"all shards failed\",
\"phase\":\"query\",\"grouped\":true,\"failed_shards\":[{\"shard\":0,\"index\":\"all-interface-status\",\"node\":\"ia4IUb0vRzOmDwNF4-69Rg\",\"reason\":{\"type\":\"query_shard_exception\",
\"reason\":\"Failed to parse query
[{\\\"_source\\\":
[\\\"ControllerName\\\",\\\"parsed_interfaces.brief.name\\\",\\\"parsed_interfaces.brief.host-inf\\\",\\\"parsed_interfaces.detail.hw-stats.crc-error\\\",\\\"@timestamp\\\"],
\\\"query\\\":{\\\"bool\\\":{\\\"must\\\":
[{\\\"match\\\":{\\\"ControllerName\\\":\\\"POD3-Controller1\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.name\\\":\\\"vni-0/0\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.host-inf\\\":\\\"eth1\\\"}}],
\\\"filter\\\":
[{\\\"range\\\":{\\\"@timestamp\\\":{\\\"gte\\\":\\\"now-5m\\\",\\\"lte\\\": \\\"now\\\"}}}]}}}]\",
\"index_uuid\":\"DxGqpGNJQqOvoJZOX9Amng\",\"index\":\"all-interface-status\",\"caused_by\":{\"type\":\"parse_exception\",\"reason\":\"Cannot parse
'{\\\"_source\\\":
[\\\"ControllerName\\\",\\\"parsed_interfaces.brief.name\\\",\\\"parsed_interfaces.brief.host-inf\\\",\\\"parsed_interfaces.detail.hw-stats.crc-error\\\",\\\"@timestamp\\\"],
\\\"query\\\":{\\\"bool\\\":{\\\"must\\\":
[{\\\"match\\\":{\\\"ControllerName\\\":\\\"POD3-Controller1\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.name\\\":\\\"vni-0/0\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.host-inf\\\":\\\"eth1\\\"}}],
\\\"filter\\\":
[{\\\"range\\\":{\\\"@timestamp\\\":{\\\"gte\\\":\\\"now-5m\\\",\\\"lte\\\": \\\"now\\\"}}}]}}}'
: Encountered \\\" \\\"]\\\" \\\"] \\\"\\\" at line 1, column 153.\\nWas expecting:\\n \\\"TO\\\" ...\\n \",\"caused_by\":
{\"type\":\"parse_exception\",\"reason\"
:\"Encountered \\\" \\\"]\\\" \\\"] \\\"\\\" at line 1, column 153.\\nWas expecting:\\n \\\"TO\\\" ...\\n \"}}}}]},\"status\":400}"}
Please help me to get this resolved.