Logstash & JSON

I'm trying to configure Logstash with JSON.

logstash configuration:

root@596f81c45ea4:~# cat /etc/logstash/conf.d/* | grep -v \#

input {
  gelf { codec => "json" }
}

filter {
  json {
    source => "message"
  } 
}

output {
  elasticsearch { hosts => ["0:9200"] }
}
root@596f81c45ea4:~# 

input:

{"level":"info","ts":"2017-01-21T21:53:21+0000","X":"Y","recordtype":"Z","action":"SET","start":"2017-01-21T21:53:21+0000"}

/var/log/logstash/logstash-plain.log:

[2017-01-21T21:36:32,584][WARN ][logstash.outputs.elasticsearch] Failed action. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2017.01.21", :_type=>"logs", :_routing=>nil}, 2017-01-21T21:36:32.178Z X {"level":"info","ts":"2017-01-21T21:36:32+0000","msg":"Connected to Elastic node","name":"y3QUVEG","version":"5.1.1","code":200}], :response=>{"index"=>{"_index"=>"logstash-2017.01.21", "_type"=>"logs", "_id"=>"AVnC9Zktif7z_nOdo0lI", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [level]", "caused_by"=>{"type"=>"number_format_exception", "reason"=>"For input string: "info""}}}}}

Please advise.

It looks like ES has mapped the level field as an integer but you're trying to feed it a string. Check the mappings of the index. If that's the case you need to reindex. Since you're just starting out maybe the easiest option is to just delete the index and start over?

that did the job, thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.