I'm new to elk, trying to query es from logstash with this:
elasticsearch {
hosts => [ "my-elk-server:9200" ]
user => "elastic"
password => "changeme"
index => "exchange-*"
query => "type:iis AND cs-user:%{[cs-user]}"
fields => [ { "@timestamp" => "prior-timestamp" },
{ "geoip.location" => "prior-location" } ]
}
Some fields have been sanitized :-), If the user or password is wrong, I get a security failure, when it's right, I get this:
[2017-02-14T19:29:48,818][INFO ][logstash.filters.elasticsearch] Querying elasticsearch for lookup {:params=>{:index=>"exchange-", :q=>"type:iis AND cs-user:somebody", :size=>1, :sort=>"@timestamp:desc"}}
[2017-02-14T19:29:49,129][WARN ][logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"exchange-", :query=>"type:iis AND cs-user:somebody", :event=>2017-02-09T00:00:00.000Z localhost.localdomain 2017-02-09 00:00:00 xxx.yyy.zz.1 POST /autodiscover/autodiscover.xml &CorrelationID=;&cafeReqId=e1eb2af0-b060-432c-a45e-39f3752210af; 80 somebody zz2.yy2yy2.227 Mac+OS+X/10.10.4+(14E46);+ExchangeWebServices/5.0+(213);+Mail/8.2+(2102) - 401 1 1326 1
, :error=>#<TypeError: can't convert nil into String>}
With/without the index doesn't matter, only one field doesn't matter, I'm stumped, I don't know where to look....
Thanks