Incorrect mapping not matching grok filers and fields .conf file

asad_ali · June 18, 2019, 2:48pm

Hey folks,

I have .conf as

input {
  beats { port => 5044}
}

filter {
  grok {
  match => [
        "message", "%{TIMESTAMP_ISO8601:timestamp_sting}%{SPACE}%{GREEDYDATA:line}"
 ]
}

date {
        match => ["timestamp_sting", "ISO8601"]
 }

mutate {
        remove_field => [message, timestamp_sting]
 }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "changeme"
  }
stdout {
        codec => rubydebug
        }
}

Output of

GET /filebeat-7.1.1-2008.09.15/_search
{
"query": {
"match_all" :{}
}  }

is link
http://ge.tt/9lhWdfw2
file name

[Logstash_output.txt]

/root/logstash-7.1.1/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/elasticsearch-template-es7x.json
{
"index_patterns" : "logstash-",
"version" : 60001,
"settings" : {
"index.refresh_interval" : "5s",
"number_of_shards": 1
},
"mappings" : {
"default" : {
"_all" : { "enabled" : false },
"dynamic_templates" : [ {
"message_field" : {
"path_match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text",
"norms" : false
}
}
}, {
"string_fields" : {
"match" : "",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text", "norms" : false,
"fields" : {
"keyword" : { "type": "keyword", "ignore_above": 256 }
}
}
}
} ],
"properties" : {
"@timestamp": { "type": "date"},
"@version": { "type": "keyword"},
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" }
}
}
}
}
}
}

Badger · June 18, 2019, 3:29pm

Did you have a question?

asad_ali · June 18, 2019, 3:52pm

The problem is that the mapping or parsing is not done according to the format defined under logstash .conf file, when I get the index pattern its is extracting fields which >50 are not defined by me, but some default template which it is using. I have tried running logstash with stdin /stdout as cli and it works great , but when stdin is from file-beat and destination as elasticsearch the mapping is mixed up. Kindly assist.

Badger · June 18, 2019, 4:17pm

This is an issue with your filebeat configuration. For example the [host] object is added by the host metadata processor.

If you are unable to figure out which processors are adding which fields you should ask a question in the filebeat forum, including an example of a document from elasticsearch.

asad_ali · June 18, 2019, 6:28pm

I tried to remove the host.metadata not extra fields are dropped down to 34 from 51. I opened new link here

system · July 16, 2019, 6:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash showing logs send to Kibana with yellow index and mismatched pre-populated fields mapping Logstash	1	288	July 14, 2019
Can't fix _grokparsefailure Logstash	6	471	January 9, 2019
Incorrect mapping of fields by Kibanna send from logstash Beats filebeat	4	466	July 18, 2019
Filebeat error using ingest pipeline: Provided Grok expressions do not match field value Beats filebeat	4	6118	June 15, 2017
Grok Filter not extracting the fields Logstash	8	1227	August 10, 2017

Incorrect mapping not matching grok filers and fields .conf file

Related topics