How do i convert my existing logstash grok to match with Elastic Common Schema ECS data type

Hi Team,

Im trying to change the existing grok pattern for several log formats into standard ECS format.

For example,
ecs url schema says for defining URL, i can use url.full and the type should be 'keyword'.

When i try grok developer tool in kibana it says Unable to find pattern [keyword] in Grok's pattern dictionary, with { property_name="patterns" & processor_type="grok" }

Same applies to source.port where type is 'long' and same error.

Reference,
https://www.elastic.co/guide/en/ecs/current/ecs-url.html

Can you help on this what am i missing that stops me to convert existing filter into ECS format.

Thanks!

I believe that when ECS says the type is keyword it is referring to the mapping in elasticsearch. It has nothing to do with grok, or anything in logstash.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Yes Badger is correct, these are datatypes.

Check out this post, for a good start at parsing web logs: Parsing URL with Logstash (using ECS fields) nested!