Elasticsearch Input Filter Returns %{message}

ben-10 · February 13, 2017, 10:11pm

Attempting to use the Elasticsearch input plugin on Logstash 5.2.0, but with the following config:

input {
   elasticsearch {
      hosts => "esearch-cn1:9200"
      index => "logstash_sa_2017.02.06"
      query => '{ "query": { "term": { "parsed_xml.UserID": "testuser" } } }'
   }
}
output {
   std{}
}

With or without the query, the data returned looks like:

2017-02-06T11:37:50.000Z logaggp %{message}
2017-02-06T11:39:50.000Z logaggp %{message}
2017-02-06T12:19:52.000Z logaggp %{message}

Before I go any deeper with query or the final out, what am I missing to get the actual data?

msimos · February 13, 2017, 11:29pm

Hi,

Try using:

output {
stdout { codec => rubydebug }
}

You can start off by using a match_all query and see if that works to be sure you're getting some data.

system · March 13, 2017, 11:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.