Incorrect type of field in index from Logstash, why?

d.silwon · February 15, 2021, 4:29pm

Dears,

I loading tomcat logs to Elastic. My logstash config include such grok pattern:

 if "tomcat" in [tags] {
    grok {
      match => ["message", "%{IPV4} (?:-|%{USER:ident}) (?:-|%{USER:auth}) \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request} (?:HTTP/%{NUMBER:httpversion})?|-)\" (?:HTTP%{NUMBER:response}) %{BASE10NUM:bytes_sent;number}B (%{BASE10NUM:response_time;number})ms\s+\((%{BASE10NUM:process_time;number})ms\)"]
    }
  }
  if "app" in [tags] {
    grok {
      match => ["message", "%{YEAR}.%{MONTHNUM}.%{MONTHDAY} %{TIME:time} \[%{DATA:application}] %{LOGLEVEL:logLevel} %{SPACE}*%{JAVACLASS:class} %{NOTSPACE} %{GREEDYDATA:app_msg}"]
    }
  }

Example lines from log file looks like:

10.181.231.53 - - [15/Feb/2021:13:11:32 +0100] "GET /v1/apps/X00004000001?terminal_type=VIRTUAL HTTP/1.1" HTTP200 318B 858ms (857ms)
10.181.231.53 - - [15/Feb/2021:13:33:44 +0100] "GET /v1/apps/X00004000001?terminal_type=VIRTUAL HTTP/1.1" HTTP200 318B 97ms (96ms)

Why Elasticsearch creates index where three last fields are strings instead of numeric fields like configuration in logstach??

Best Regards,
Dan

Badger · February 15, 2021, 5:26pm

That should be %{BASE10NUM:bytes_sent:int}. It will not take effect until you roll over to a new index.

d.silwon · February 15, 2021, 5:44pm

Unfortunately I also tested it with pattern %{BASE10NUM:bytes_sent:int} but the field in index was as a string.

Badger · February 15, 2021, 6:25pm

Did you create a new index? Once the type of a field in an index is set then it will not change.

d.silwon · February 15, 2021, 6:34pm

Yes, the new index was created.

d.silwon · February 16, 2021, 1:19pm

Solved for the help of mutate/convert plugin in Logstash config:

  if "tomcat" in [tags] {
    grok {
      match => ["message", "%{IPV4} (?:-|%{USER:ident}) (?:-|%{USER:auth}) \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request} (?:HTTP/%{NUMBER:httpversion})?|-)\" (?:HTTP%{NUMBER:response}) %{BASE10NUM:bytes_sent;int}B (%{BASE10NUM:response_time;int})ms\s+\((%{BASE10NUM:process_time;int})ms\)"]
    }
  mutate {
        convert => {
                "bytes_sent" => "integer"
                "response_time" => "integer"
                "process_time" => "integer"
                }
        }
  }

Thanks a lot for your help and advice.

Best Regards,
Daniel

Badger · February 16, 2021, 5:30pm

That should be a colon, not a semicolon.

d.silwon · February 16, 2021, 5:55pm

@Badger I'll check/test it tomorrow morning. Thanks for your advice.

d.silwon · February 17, 2021, 6:10am

@Badger you are right. There was mistake in colon and semicolon. After corection and deletion of mutate/convert plugin from logstash config the index was created with proper types integer for fields "bytes_sent", "bytes_sent", "bytes_sent". Thanks a lot.

system · March 17, 2021, 6:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field NUMBER save as String Logstash	1	351	January 1, 2019
Mismatch in field type Logstash	7	784	August 19, 2018
How do I set a field type using grok? Logstash	4	20855	July 6, 2017
Field marked as number, but index is having it as string Logstash	3	1159	July 6, 2017
Haproxy data, every field is a string Elasticsearch	3	1628	July 5, 2017

Incorrect type of field in index from Logstash, why?

Related topics