ASA01
March 26, 2021, 1:25pm
1
Running across something I don't understand after building a new stack with the latest release of Logstash (7.11.1). It appears to be entering the hostname wrong or I understand it wrong. The system hostname is cmscd however, in ES I am seeing
I looked in the environ for logstash and see HOSTNAME=cmscd. I am not sure where the duplicate names are coming from. Nothing really crazy in my output section.
output {
elasticsearch {
hosts => [ "http://localhost:9200"]
index => "ech-%{+YYYY.MM.dd}"
document_id => "%{acd}_%{callid}_%{segment}_%{ucid}"
manage_template => false
user => "${ES_USER}"
password => "${ES_PWD}"
}
stdout { codec => rubydebug }
}
Just trying to understand why I am getting both host and hostname and why hostname is repeated.
Thanks for your assistance
Badger
March 26, 2021, 4:16pm
2
I suspect hostname is an array, containing three copies of host. That would happen if you did
mutate { add_field => { "hostname" => "%{host}" } }
mutate { add_field => { "hostname" => "%{host}" } }
mutate { add_field => { "hostname" => "%{host}" } }
ASA01
March 26, 2021, 5:24pm
3
here is the entire conf. I don't have hostname in it at all.
input {
file {
path => "/home/ech/chr*"
start_position => "beginning"
file_completed_action => "delete"
sincedb_path => "/dev/null"
mode => "read"
}
}
filter {
csv {
separator => "|"
skip_header => true
autodetect_column_names => true
skip_empty_rows => true
}
date {
match => ["segstart", "yyyy-MM-dd HH:mm:ss"]
}
date {
match => ["segstart", "yyyy-MM-dd HH:mm:ss"]
target => "segstart"
}
date {
match => ["segstop", "yyyy-MM-dd HH:mm:ss"]
target => "segstop"
}
date {
match => ["segstart_utc", "yyyy-MM-dd HH:mm:ss"]
target => "segstart_utc"
}
date {
match => ["segstop_utc", "yyyy-MM-dd HH:mm:ss"]
target => "segstop_utc"
}
translate {
field => "disposition"
destination => "calldisposition"
fallback => "unknown"
dictionary => {
"1" => "Connected"
"2" => "Answered"
"3" => "Abandoned"
"4" => "Interflowed"
"5" => "Forced Busy"
"6" => "Forced Disconnect"
"7" => "Other"
"8" => "ICR Pulled"
}
}
translate {
field => "interruptdel"
destination => "interrupt"
fallback => "unknown"
dictionary => {
"0" => "Not Applicable"
"1" => "Auto in Interrupt"
"2" => "Manual in Interrupt"
"3" => "Notify Interrupt"
}
}
if [dispsplit] == "-1" {
mutate {
replace => ["dispsplit","0"]
}
}
if [split1] == "-1" {
mutate {
replace => ["split1","0"]
}
}
if [split2] == "-1" {
mutate {
replace => ["split2","0"]
}
}
if [split3] == "-1" {
mutate {
replace => ["split3","0"]
}
}
mutate {
convert => {"disposition" => "integer"}
convert => {"holdabn" => "integer"}
convert => {"talktime" => "integer"}
convert => {"acwtime" => "integer"}
convert => {"ringtime" => "integer"}
convert => {"dispriority" => "integer"}
convert => {"queuetime" => "integer"}
convert => {"duration" => "integer"}
convert => {"ansholdtime" => "integer"}
convert => {"disptime" => "integer"}
convert => {"netintime" => "integer"}
convert => {"tenant_num" => "integer"}
convert => {"dispsklevel" => "integer"}
convert => {"prefskilllevel" => "integer"}
convert => {"origholdtime" => "integer"}
convert => {"ansreason" => "integer"}
convert => {"consulttime" => "integer"}
convert => {"agentsurplus" => "integer"}
convert => {"cwc1" => "integer"}
convert => {"cwc2" => "integer"}
convert => {"cwc3" => "integer"}
convert => {"cwc4" => "integer"}
convert => {"cwc5" => "integer"}
convert => {"acd" => "integer"}
convert => {"dispsplit" => "integer"}
convert => {"held" => "integer"}
convert => {"split1" => "integer"}
convert => {"split2" => "integer"}
convert => {"split3" => "integer"}
convert => {"dispivector" => "integer"}
convert => {"firstvector" => "integer"}
convert => {"callid" => "integer"}
convert => {"eq_locid" => "integer"}
convert => {"event1" => "integer"}
convert => {"event2" => "integer"}
convert => {"event3" => "integer"}
convert => {"event4" => "integer"}
convert => {"event5" => "integer"}
convert => {"event6" => "integer"}
convert => {"event7" => "integer"}
convert => {"event8" => "integer"}
convert => {"event9" => "integer"}
convert => {"interruptdel" => "integer"}
convert => {"origreason" => "integer"}
convert => {"uui_length" => "integer"}
convert => {"ans_locid" => "integer"}
convert => {"orig_locid" => "integer"}
convert => {"icrpullreason" => "integer"}
convert => {"firstivector" => "integer"}
convert => {"agentskilllevel" => "integer"}
convert => {"obs_locid" => "integer"}
convert => {"tkgrp" => "integer"}
convert => {"segment" => "integer"}
convert => {"uui_len" => "integer"}
convert => {"assist" => "integer"}
convert => {"transferred" => "integer"}
convert => {"malicious" => "integer"}
convert => {"agt_released" => "integer"}
convert => {"conference" => "integer"}
convert => {"da_queued" => "integer"}
convert => {"icrresent" => "integer"}
convert => {"audio" => "integer"}
}
}
output {
elasticsearch {
hosts => [ "http://localhost:9200"]
index => "ech-%{+YYYY.MM.dd}"
document_id => "%{acd}_%{callid}_%{segment}_%{ucid}"
manage_template => false
user => "${ES_USER}"
password => "${ES_PWD}"
}
stdout { codec => rubydebug }
}
Badger
March 26, 2021, 6:01pm
4
Does [hostname] show up in the rubydebug output on stdout?
ASA01
March 29, 2021, 1:40pm
5
No it does not.
I get "host" => "cmscd", That is it. Nothing for "hostname"
Badger
March 29, 2021, 4:38pm
6
OK, so logstash is not adding it. Do you have ingestion pipelines in elasticsearch?
ASA01
March 31, 2021, 9:02pm
7
Sorry for the delay, I do not have any. Could scripted fields that don't have anything to do with the hostname is all.
system
April 28, 2021, 9:02pm
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
