Logstash could not index event to Elasticsearch

TheHunter1 · November 4, 2020, 9:33am

Hello eveybody,
I am using Logstash to parse my firewall logs, and in some logs I am getting that errors:

[2020-11-03T16:07:22,361][WARN ][logstash.outputs.elasticsearch][main][f05eea78ee20871f68357cbab5919471405decdd543eeae8c79baf8bd6c2af6a] Could not index event to Elasticsearch. {:status=>400, 
"reason"=>"failed to parse field [slotlevel] of type [integer] in document with id 'KZeljnUBd54xy33-9Zlx'
"reason"=>"Numeric value (4294967295) out of range of int (-2147483648 - 2147483647)\n at

I understand from that logs that the value of the field slotlevel is much bigger than what we can store in an int type.

Can you tell me please what type I can use in grok to solve that problem.

In my case I am using this filter to parse that log:

(slotlevel=%{NUMBER:slotlevel:int} )?

Thanks for your help

warkolm · November 5, 2020, 3:37am

You can use the int there, but you may need to change the mapping for the field in Elasticsearch to use long instead.

TheHunter1 · November 5, 2020, 1:31pm

Oh thank you, so the problem is in the mapping and not in the grok filter.
If I change the integer to long by running PUT _template/firewall again in the Dev Tool on Kibana I won't have a problem in my index ? or there is another solution to change the mapping ?

warkolm · November 5, 2020, 9:44pm

That will only apply for new indices, but it's the right way to do it.

system · December 3, 2020, 9:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.