Hi,
Am having problem in logstash-filter-elaticsearch query :
We already have an index stored under elasticsearch.
on run time we like to enrich the data under logstash by elasticsearch look up.
GET citylist/_search
{
"query" : {
"match_phrase" : {
"ct_name" : "xxxx"
}
}
}
It gives the result on kibana.
Under logstash conf:
if [citypresent]{
elasticsearch {
hosts => ["localhost:9200/citylist/data"]
index => "citylist"
query=> "ct_name:'%{citypresent}'"
query=>'{"query" : {"match_phrase" : {"ct_name" : "%{[citypresent]}"}}}'
fields=>["newcity"]
}
}
Getting : [2] "_elasticsearch_lookup_failure"
[logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"citylist", :query=>"{"query" : {"match_phrase" : {"ct_name" : "%{[citypresent]}"}}}"
:error=>#<Elasticsearch::Transport::Transport::Errors::BadRequest: [400] {"error":{"root_cause":[{"type":"query_shard_exception","reason":"Failed to parse query [{"query" : {"match_phrase" : {"ct_name" : "%{[p_input_city]}"}}}]"
"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"citylist","node":"EpDQwDa_R7iB5utOLiK23Q","reason":{"type":"query_shard_exception","reason":"Failed to parse query [{"query" : {"match_phrase" : {"ct_name" : "%{[citypresent]}"}}}]","index_uuid":"OuuhVn8aScqYUCI_3Vq_0Q","index":"citylist","caused_by":{"type":"parse_exception","reason":"Cannot parse '{"query" : {"match_phrase" : {"ct_name" : "%{[citypresent]}"}}}': Encountered " <RANGE_GOOP> ": "" at line 1, column 9.\nWas expecting:\n "TO" ...\n ","caused_by":{"type":"parse_exception","reason":"Encountered " <RANGE_GOOP> ": "" at line 1, column 9.\nWas expecting:\n "TO" ...\n "}}}}]},"status":400}>}