So I was trying to ingest nginx log to my logstash and after several attempts to solve this I am exhausted now. Grok is properly working in the debugger but whenever I put that into logtstash _grokparsefailure occurs. Any help will be really appreciated. Thanks in advance.
Below is the log (directly copied from log file in putty) and grok pattern:
EDIT: Attaching log file as pasting here is creating some problem.
Did you read the error message?
"Could not set field 'port' on object '103.205.132.222' to value '56170'.This is probably due to trying to set a field like [foo][bar] = someValuewhen [foo] is not either a map or a string"
You have parsed the IP address using
%{IPORHOST:[apache2][access][remote_ip]}
So [apache2][access][remote_ip] is a string. They you try to parse the port number using
%{DATA:[apache2][access][remote_ip][port]}
and that treats [apache2][access][remote_ip] as an object. It cannot be both a string and an object.
Thanks for quick response. Actually I started working with elastic recently. Can you please let me know how did you debug this log and got the output? It will help me to avoid further problem like this.
The error message that I quoted is logged in the logstash logs. You need to read the logs when you have problems.
Thanks for your tremendous help. It worked like a charm.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.