GROK filter cannot be applied on aggregated events

jpry · July 22, 2016, 2:55pm

Hi, thanks for answering.

Here is what I get after typing the query:

curl -XGET 'http://ELKserver/logstash-*/_search?pretty'
-d '{
{
  "size": 2, 
  "query": {
  "bool": {
  "filter": {
    "query_string": {
      "query": "\"cjones\" AND \"cjones@GEEKO.COM\""
         }
      }
    }
  }
}

{

"took" : 1831,
"timed_out" : false,  
"_shards" : {  
"total" : 140,    
"successful" : 140,   
"failed" : 0  
},

"hits" : {    
"total" : 1,  
"max_score" : 0.0,    
"hits" : [ {   
"_index" : "logstash-2016.07.12",      
"_type" : "logstash",  
"_id" : "AVXgPrdV2kEjcao1vk8K",   
"_score" : 0.0,

     
"_source":{"message":"<14>Jul 12 19:54:13
CiscoMXTextMailLogs_Logstash: Info: MID 8888888 ICID 9999999 RID 0 To: <cjones@GEEKO.com>","@version":"1","@timestamp":"2016-07-12T17:54:13.566Z","type":"logstash","host":"189.18.16.89","tags":["_grokparsefailure_sysloginput","grokked_syslog
"],"priority":0,"severity":0,"facility":0,"facility_label":"kernel","severity_label":["Emergency","Info"],"received_at":"2016-07-12T17:54:13.566Z","hostname":"hostname","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice","syslog_pri":"14","info":"MID
8888888 ICID 9999999 RID 0 To: < cjones@GEEKO.com >"}

} ]  
}
}

Topic		Replies	Views
Aggregation Filter 2 logs same index Logstash	12	470	September 1, 2020
Aggregate filter Logstash	8	407	August 13, 2021
Make Grok filter fields aggregatable Logstash	4	1103	July 24, 2018
How to manage multiline events based on a random field Logstash	24	5728	July 6, 2017
Grok fields are not visible in kibana Logstash	9	3447	July 6, 2017

GROK filter cannot be applied on aggregated events

Related topics