Hi,
I am trying to use logstash-input-azureblob plugin to push the NSG flow logs into ES. It was working for a week and I could see an excellent dash board with all the data. But all of sudden it stopped working with the below error.
[2018-05-17T09:23:00,073][WARN ][logstash.filters.split ] Only String and Array types are splittable. field:[records] is of type = NilClass
[2018-05-17T09:23:00,074][WARN ][logstash.filters.split ] Only String and Array types are splittable. field:[records][properties][flows] is of type = NilClass
[2018-05-17T09:23:00,074][WARN ][logstash.filters.split ] Only String and Array types are splittable. field:[records][properties][flows][flows] is of type = NilClass
[2018-05-17T09:23:00,074][WARN ][logstash.filters.split ] Only String and Array types are splittable. field:[records][properties][flows][flows][flowTuples] is of type = NilClass
Not sure whether something wrong my source data.
here is my logstash.conf file
input {
azureblob {
storage_account_name => "xxxxxx"
storage_access_key => "xxxxxxxxxxx"
container => "insights-logs-networksecuritygroupflowevent"
codec => "json"
file_head_bytes => 12
file_tail_bytes => 2
type => azureblob
}
}
filter {
split { field => "[records]" }
split { field => "[records][properties][flows]"}
split { field => "[records][properties][flows][flows]"}
split { field => "[records][properties][flows][flows][flowTuples]"}
mutate{
split => { "[records][resourceId]" => "/"}
add_field => {"Subscription" => "%{[records][resourceId][2]}"
"ResourceGroup" => "%{[records][resourceId][4]}"
"NetworkSecurityGroup" => "%{[records][resourceId][8]}"}
convert => {"Subscription" => "string"}
convert => {"ResourceGroup" => "string"}
convert => {"NetworkSecurityGroup" => "string"}
split => { "[records][properties][flows][flows][flowTuples]" => ","}
add_field => {
"unixtimestamp" => "%{[records][properties][flows][flows][flowTuples][0]}"
"srcIp" => "%{[records][properties][flows][flows][flowTuples][1]}"
"destIp" => "%{[records][properties][flows][flows][flowTuples][2]}"
"srcPort" => "%{[records][properties][flows][flows][flowTuples][3]}"
"destPort" => "%{[records][properties][flows][flows][flowTuples][4]}"
"protocol" => "%{[records][properties][flows][flows][flowTuples][5]}"
"trafficflow" => "%{[records][properties][flows][flows][flowTuples][6]}"
"traffic" => "%{[records][properties][flows][flows][flowTuples][7]}"
}
convert => {"unixtimestamp" => "integer"}
convert => {"srcPort" => "integer"}
convert => {"destPort" => "integer"}
}
date{
match => ["unixtimestamp" , "UNIX"]
}
}
output {
stdout {codec => rubydebug}
elasticsearch {
hosts => ["localhost:9200"]
index => "nsg-flow-logs"
}
}