Failed to query elasticsearch for previous event Cannot cast org.jruby.RubyNil to org.jruby.RubyString

RAM_NATHAN · March 17, 2022, 1:06pm

Im using Elasticsearch filter plugin as below

elasticsearch {
         hosts => ["localhost:9200"]
         index => "dashboard_write"
         query => "sessionID:%{[sid]}"
         fields => ["authsid","sid"]
      
      }

I want write authsid into sid from existing record record with sessionID:%{[sid]}. Or otherwise with existing sid value, I need to fetch the document from Elasticsearch and write authsid field value to sid back.

But Im getting below error

Failed to query elasticsearch for previous event {:index=>"dashboard_write", :query=>"sessionID:97f5d56677befd5c94c0a89fab05d1316667f857db2f7bf01dd8a9890edf8dfe", :event=>{"sid"=>"97f5d56677befd5c94c0a89fab05d1316667f857db2f7bf01dd8a9890edf8dfe", "eventID"=>"002E0102", "appdata"=>{"accessType"=>"idp_app", "appName"=>"ServiceNow-Test", "eventTime"=>"Mar 8 12:20:32"}, "@timestamp"=>2022-03-17T12:36:55.653Z, "createDate"=>"2022-03-17T12:36:55.653Z"}, :error=>"Cannot cast org.jruby.RubyNil to org.jruby.RubyString", :backtrace=>["java.lang.invoke.MethodHandleImpl.newClassCastException(MethodHandleImpl.java:361)", "java.lang.invoke.MethodHandleImpl.castReference(MethodHandleImpl.java:356)", ".logstash.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_filter_minus_elasticsearch_minus_3_dot_9_dot_0.lib.logstash.filters.elasticsearch.RUBY$block$filter$1(//logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-elasticsearch-3.9.0/lib/logstash/filters/elasticsearch.rb:150)", "org.jruby.runtime.CompiledIRBlockBody.yieldDirect(CompiledIRBlockBody.java:148)", "org.jruby.runtime.BlockBody.yield(BlockBody.java:106)", "org.jruby.runtime.Block.yield(Block.java:184)", "org.jruby.RubyArray.each(RubyArray.java:1809)", ".logstash.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_filter_minus_elasticsearch_minus_3_dot_9_dot_0.lib.logstash.filters.elasticsearch.RUBY$method$filter$0(//logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-elasticsearch-3.9.0/lib/logstash/filters/elasticsearch.rb:145)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:106)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:140)", "org.jruby.ir.targets.InvokeSite.fail(InvokeSite.java:278)", ".logstash.logstash_minus_core.lib.logstash.filters.base.RUBY$method$do_filter$0

If query below in Discover,Im getting proper record

Querying elasticsearch for lookup {:params=>{:index=>"dashboard_write", :q=>"sessionID:97f5d56677befd5c94c0a89fab05d1316667f857db2f7bf01dd8a9890edf8dfe", :size=>1, :sort=>"@timestamp:desc"}}

What am I missing here?

system · April 14, 2022, 1:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.