Filebeat config:
filebeat.prospectors:
- paths:
- /*.log
tags: ["internal", "log"]
json.message_key: msg
json.add_error_key: true
harvester_limit: 500
close_inactive: 5m
- paths:
- /other/*.log
tags: ["one", "two"]
json.message_key: msg
json.add_error_key: true
harvester_limit: 900
close_inactive: 1m
close_eof: true
clean_removed: true
output:
logstash:
hosts: ["logstashhost:5000"]
loadbalance: true
Logstash pipeline;
input {
beats {
port => 5000
}
}
filter {
# Sample: 2018-01-05T15:48:34+01:00
date {
match => [ "json.keyValues.startTime", "YYYY-MM-DD'T'HH:mm:SSZZ" ]
add_tag => ["dated"]
}
mutate {
remove_field => ["offset", "input_type", "beat", "host", "type"]
}
}
output {
elasticsearch {
id => "log-meta"
hosts => ["http://ingestion:9200"]
index => "datasync-meta-%{+YYYY.MM.dd}"
template => "/usr/share/logstash/config/log-template.json"
template_name => "log"
}
elasticsearch {
id => "log-all"
hosts => ["http://ingestion:9200"]
index => "log-all-%{+YYYY.MM.dd}"
template => "/usr/share/logstash/config/log-template.json"
template_name => "log"
}
# stdout { codec => rubydebug }
}
And the template file:
{
"index_patterns": [
"log-*"
],
"version": 1,
"settings": {
"index.refresh_interval": "5s"
},
"mappings": {
"doc": {
"dynamic": false,
"properties": {
"@timestamp": {"type": "date"},
"@version": {"type": "keyword"},
"json": {
"properties": {
"keyValues": {
"properties": {
"ewdId": {"type": "long"},
"srcRow": {"type": "long"},
"runId": {"type": "text"},
"startTime": {"type": "date"},
"cmd": {"type": "text"},
"class": {"type": "keyword"},
"tenant": {"type": "keyword"},
"action": {"type": "keyword"},
"file": {"type": "text"},
"pid": {"type": "long"},
"jobName": {"type": "keyword"}
}
},
"msg": {"type": "text"},
"step": {
"type": "keyword"
},
"tags": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"source": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"tags": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"type": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
Leads to the warning:
logstash_1 | [2018-01-27T21:04:50,555][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"log-all-2018.01.27", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x4ce400e5>], :response=>{"index"=>{"_index"=>"log-all-2018.01.27", "_type"=>"doc", "_id"=>"sT5vOWEBsEwqrBiS5-5U", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [json.keyValues.srcRow]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: \"38075 by rule 0\""}}}}}
I cant see why, because
- Im not using the grok-plugin.
- The type of json.keyValues.srcRow is long and not string/ text
It is only a warning, but it fills my logs :-/ and I would like to figure out how to avoid this.