Elasticsearch output: LogStash::Error: timestamp field is missing

ouss · September 3, 2019, 2:58pm

Hello,

I have an elasticsearch output working without any problem

elasticsearch {
  hosts => [ "${LOGS_ELASTICSEARCH_CLUSTER}:443" ]
  ssl => true
  index => "cwl-%{+YYYY.MM.dd}"
  document_type => "log"
}

I wanted to redirect some type of logs to a new elasticsearch index but I'm getting this error

[2019-09-03T14:39:00,242][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<LogStash::Error: timestamp field is missing>, :backtrace=>["org/logstash/ext/JrubyEventExtLibrary.java:202:in `sprintf'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.3.8-java/lib/logstash/outputs/elasticsearch/common.rb:172:in `event_action_params'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.3.8-java/lib/logstash/outputs/elasticsearch/common.rb:48:in `event_action_tuple'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.3.8-java/lib/logstash/outputs/elasticsearch/common.rb:42:in `multi_receive'", "org/jruby/RubyArray.java:2414:in `map'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.3.8-java/lib/logstash/outputs/elasticsearch/common.rb:42:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/shared.rb:13:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:47:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:420:in `output_batch'", "org/jruby/RubyHash.java:1342:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:419:in `output_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:365:in `worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:330:in `start_workers'"]}

No newer events found at the moment. Retry.

The new output is:

  if "http" in [tags] {
    elasticsearch {
      hosts => [ "${LOGS_ELASTICSEARCH_CLUSTER}:443" ]
      ssl => true
      index => "cwl-http-%{+YYYY.MM.dd}"
      document_type => "log"
    }
  }
  else {
    elasticsearch {
      hosts => [ "${LOGS_ELASTICSEARCH_CLUSTER}:443" ]
      ssl => true
      index => "cwl-%{+YYYY.MM.dd}"
      document_type => "log"
    }
  }

I modified my filter like this

 ### HTTP logs
 if [logger_name] == "HttpLoggerService" {
   mutate {
     add_tag => [ "http" ]
   }
 }

any thing wrong in my configuration ?

Thanks!

Badger · September 3, 2019, 4:15pm

You are using %{+YYYY.MM.dd} in your index name, but the event does not have a @timestamp field from which to extract the year, month and day.

If the only difference between the two elasticsearch outputs is the index name it would be slightly more efficient to put the index name into a [@metadata] field and use a sprintf reference to it.

ouss · September 4, 2019, 10:00am

It solved my problem, Thanks @Badger

system · October 2, 2019, 10:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch output Document missing exception 404 Logstash	6	15956	July 6, 2017
Logstash to Elasticsearch there is 10-20min for delay, also not all logs are indexed Logstash	4	331	July 15, 2023
Field is present but missing Logstash	4	367	November 14, 2018
Can't change timestamp of logstash to timestamp of log Logstash	3	544	February 22, 2021
Elasticsearch input missing [@metadata][_index] Logstash	14	2336	April 15, 2020

Elasticsearch output: LogStash::Error: timestamp field is missing

Related Topics