Error when using elasticsearch logstash filter

vladislav · April 8, 2022, 10:24am

Good day! Please advice.
I have an error when using Elasticsearch logstash filter. I need to make a query among index to find a value of ip, and if there is write it in the field 'match'
Here is code of my .conf file:

input {
    udp {
        port => 5555
    }
}
filter {
    if [direction] == "outgoing" {
      elasticsearch {
        hosts => ["elasticsearch:9200"]
        index => "filebeat-1"
        query => "_exists_:threatintel.indicator.ip AND threatintel.indicator.ip:%{[dst]}"
        fields => { "threatintel.indicator.ip" => "match" }
	  }
	}
}
output {
    elasticsearch {
        hosts => ["elasticsearch:9200"]
        index => "logstash-1"
    }
}

An error occurs while executing:
Failed to query elasticsearch for previous event {:index=>"filebeat-1", :error=>"[400] {\"error\":{\"root_cause\":[{\"type\":\"query_shard_exception\",\"reason\":\"failed to create query: '%' is not an IP string literal.\",\"index_uuid\":\"1f6v8pEtQDKocMesc02LrQ\",\"index\":\"filebeat-1\"}],\"type\":\"search_phase_execution_exception\",\"reason\":\"all shards failed\",\"phase\":\"query\",\"grouped\":true,\"failed_shards\":[{\"shard\":0,\"index\":\"filebeat-1\",\"node\":\"HsYTd-D5QRyX4tn2VaQs8A\"

It should be noted that the field threatintel.indicator.ip has an 'ip address field' type and dst field is string. Could this be the cause of the problem? Or is there another reason?

Badger · April 8, 2022, 2:29pm

elasticsearch is returning that error. The only way elasticsearch will see the % is if the [dst] field does not exist on an event, in which case %{[dst]} will not get substituted when the filter calls sprintf.

system · May 6, 2022, 2:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.