Jenni
August 5, 2020, 1:31am
5
I think you've run into an issue that seems to have been open for a while…
Specify all hosts with their https:// prefix and do not specify the ssl attribute.
When performing an Elasticsearch filter query, I get the below error (I've replaced sensitive values with an equivilent number of Xs.
[WARN ][logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"servicenow-*", :error=>"Illegal character in authority at index 8: https://{:host=>\"xxxxxxxxx.xxxxxxxxx.net:9200\", :scheme=>\"https\", :protocol=>\"https\", :port=>9200}:9200/servicenow-%2A/_search?q=number%3AXXX0029703&size=1&sort=%40timestamp%3Adesc"}
What does…
opened 09:14AM - 16 Apr 20 UTC
closed 01:54PM - 12 Aug 21 UTC
I' trying to use this filter plugin. When i run the it with logstash 7.6.2 and n… ewest filter version 3.7.1, I receive the following error:
`[WARN ] 2020-04-16 09:05:18.073 [[main]>worker1] elasticsearch - Failed to query elasticsearch for previous event {:index=>"proxy-blacklist", :error=>"Illegal character in authority at index 8: https://{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>\"elastic01.example.org\", :scheme=>\"https\", :protocol=>\"https\", :port=>9200}, :scheme=>\"https\", :protocol=>\"https\", :port=>9200}, :scheme=>\"https\", :protocol=>\"https\", :port=>9200}, :scheme=>\"https\", :protocol=>\"https\", :port=>9200}, :scheme=>\"https\"}, :scheme=>\"https\"}, :scheme=>\"https\"}, :scheme=>\"https\", :protocol=>\"https\", :port=>9200}, :scheme=>\"https\"}, :scheme=>\"https\"}, :scheme=>\"https\"}, :scheme=>\"https\", :protocol=>\"https\", :port=>9200}, :scheme=>\"https\"}, :scheme=>\"https\"}, :scheme=>\"https\", :protocol=>\"https\", :port=>9200}, :scheme=>\"https\", :protocol=>\"https\", :port=>9200}, :scheme=>\"https\"}, :scheme=>\"https\"}:9200/proxy-blacklist/_search?q=domain.keyword%3A%2F%28www.%29%3Fchat.example.org%2F&size=1&sort=%40timestamp%3Adesc"}`
So it comes down to:
`Illegal character in authority at index 8`
I've found many users which seem to have this problem but no solution at all. Some solve this by not using "ssl => true" and using the prefix "https://" in the hosts section instead. This does not solve the error for me. My filter config looks like this:
> filter {
> grok {
> patterns_dir => [ "/etc/logstash/patterns/patterns" ]
> match => [ "message", "%{SQUIDACCESS}" ]
> }
> elasticsearch {
> hosts => [ "elastic.example.org" ]
> user => "elastic"
> password => "changeme"
> ssl => true
> ca_file => "/etc/logstash/ca.crt"
> index => "blacklist"
> query => "domain.keyword:/(www.)?%{zone}/"
> fields => { "domid" => "domid" }
> fields => { "source" => "source" }
> }
> }