How to save the data obtained by using the http_poller input plug-in of logstash to elasticsearch?

zhyp · August 24, 2021, 7:16am

Hi

I use version 7.12.0.

I used http_poller to call the SQL API of elasticsearch and got some statistics.
input {
http_poller {
urls => {
item => {
method => post
url => "http://localhost:9205/_sql?format=csv"
body => '{"query": "SELECT \u0027test\u0027 AS data_type, time, sum(count) AS count FROM test group by time"}'
headers => {
"content-type" => "application/json"
}
}
}
codec => "plain"
schedule => { cron => "*/2 * * * * *"}
}
}
It can get data
data_type,time,count
test,2021-08-10,1
test,2021-08-11,2
I want to match each line in the filter and save it to elasticsearch. My configuration is like this, but it doesn't work.

filter {
grok {
match => { "message" => "test,%{TIMESTAMP:time},%{NUMBER:count}" }
add_field => {
"time" => "%{time}"
"count" => "%{count}"
}
}
mutate {
remove_field => ["@timestamp", "@version"]
}
}

3、The following is the output configuration.

elasticsearch {
ecs_compatibility => disabled
action => "update"
doc_as_upsert => true
hosts => ["localhost:9205"]
index => "demo"
document_id => "%{time}"
}

AquaX · August 24, 2021, 6:23pm

This is not a valid GROK pattern.

You should use:
test,%{YEAR}-%{MONTHNUM}-%{MONTHDAY},%{NUMBER:count}

Then you can combine YEAR, MONTHNUM and MONTHDAY into a single field and combine it into the @timestamp field using the
date filter

date {
match => [ "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}", "yyyy-MM-dd" ]
}

Badger · August 24, 2021, 6:31pm

Or use a custom pattern

grok {
    pattern_definitions => { "TIMESTAMP" => "{YEAR}-%{MONTHNUM}-%{MONTHDAY}" }
    match => { "message" => "test,%{TIMESTAMP:time},%{NUMBER:count}" }
}

The add_field option is not needed.

zhyp · August 25, 2021, 2:29am

Sorry, I got the data format wrong.The data format is JSON.

{"message":"data_type,time,count\r\ntest,2021-08-10,1.0\r\n","@timestamp":"2021-08-25T02:11:38.563Z","@version":"1"}

Although I wanted to set it to TXT format at first, it will make mistakes.

Content-Type header [text/plain; charset=ISO-8859-1] is not supported

zhyp · August 25, 2021, 2:59am

I tried all the above methods. Here are the results.

{"message":"data_type,time,count\r\ntest,2021-08-10,1.0\r\n","tags":["_grokparsefailure"]}

zhyp · August 25, 2021, 3:06am

To achieve this summation, I tried using the aggregate filter. However, I can't get the results correctly. Can you help me?

system · September 22, 2021, 3:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Http_poller input only new lines? Logstash	12	2251	February 9, 2018
Help with http http_poller input plugin Logstash	3	306	June 17, 2021
HTTP_Poller send output to elasticsearch Logstash	7	3071	October 26, 2017
Polling with logstash using http_poller Logstash	5	1417	December 13, 2017
How to send data from HTTP input to ElasticSearch using Logstash and jdbc_streaming filter? Logstash	2	439	February 10, 2020

How to save the data obtained by using the http_poller input plug-in of logstash to elasticsearch?

Related topics