Logstash EXEC input

Hello,

I have a simple EXEC input in logstash, as follows:

input {
exec {
command => "ls"
interval => 30
}
}

output {
elasticsearch {
hosts => ["<es_host>:9200"]
}
}

However, I keep getting the following error in Logsatsh:

Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x7b6abf30], :response=>{"index"=>{"_index"=>"logstash-2019.12.10-000001", "_type"=>"_doc", "_id"=>"p3i5h3ABrLJab5qrENsk", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}

How does indexing work for the EXEC input plugin? Does it not simply put the results in the existing logstash index? Thank you!

An exec input sets the [host] field equal to the name of the server on which it executes (as does a file input and probably some others). However, beats add [host] as an object containing a [host][name] field. elasticsearch cannot support a field that is sometimes a string and sometimes an object.

You can use mutate+rename to change [host] to [host][name].

Ah, I understand. Thank you, Badger, for the information. Could I bother you again to give me the syntax for adding the filter in my file? Thank you!

Thank you so much, Badger! I got it to work, following your advice. I appreciate your time very much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.