Field name [server.example.com] cannot contain '.'

Ryan_Groten · September 29, 2016, 8:42pm

I have an application that sends JSON messages to logstash. The JSON looks like this:

{
    "status": "Successful",
    "hosts": {
        "server.example.com": {
            "ok": 2,
            "failed": "false"
        },
        "server2.example.com": {
           "ok": 1,
           "failed": "true"
        }
    }
}

Elasticsearch throws the error 'Field name [server.example.com] cannot contain '.'"'

I tried adding de_dot filter to replace the dots, but I can't get the nesting to work properly. It adds the tag, but the fields all stay the same.

de_dot {
    fields => [ "hosts" ]
    add_tag => [ "de_dot" ]
    nested => true
}

Any suggestions on what I'm doing wrong with de_dot (or better options!)?

logstash 2.4.0
elasticsearch 2.4.0

Ryan_Groten · September 29, 2016, 9:24pm

I was able to convert nested fqdn strings to short names with this incredibly unappealing solution. If anyone has a better alternative I'd love to hear them!

ruby {
    code => "
        data = event['hosts'].clone.to_hash;
        data.each do |k,v|
            newFieldName = k.split('.')[0]
            event['hosts'].delete(k)
            event['hosts'][newFieldName] = v
        end
    "
}

Thanks,
Ryan

magnusbaeck · September 30, 2016, 5:47am

It seems the de_dot filter only considers top-level fields. So yes, for now your ruby filter workaround is probably your best bet.

Topic		Replies	Views
Field name cannot contain '.' Logstash	47	42247	July 6, 2017
Field name [hello.world] cannot contain '.' error, when registering query with Percolate on ES 2.2.2 Elasticsearch	4	1431	July 5, 2017
Dynamically match and rename json fields Logstash	2	1160	April 3, 2017
Field names with dots Logstash	4	1536	July 6, 2017
Prevent collision of field types of structured logs Logstash	4	364	December 27, 2022

Field name [server.example.com] cannot contain '.'

Related topics