Logstash _split_type_failure

My Raw Data

{"records":[{"parent":"","made_sla":"true","caused_by":"","watch_list":"","upon_reject":"cancel","sys_updated_on":"2020-01-22 05:47:33","child_incidents":"0","u_incident_age_in_days":"1970-07-21 00:13:56","hold_reason":"","approval_history":"","skills":"","number":"INC0011015","resolved_by":"6816f79cc0a8016401c5a33be04be441","sys_updated_by":"admin","opened_by":"6816f79cc0a8016401c5a33be04be441","user_input":""},{"parent":"","made_sla":"true","caused_by":"","watch_list":"","upon_reject":"cancel","sys_updated_on":"2020-01-22 05:47:33","child_incidents":"0","u_incident_age_in_days":"1970-07-21 00:16:40","hold_reason":"","approval_history":"","skills":"","number":"INC0010021","resolved_by":"6816f79cc0a8016401c5a33be04be441","sys_updated_by":"admin","opened_by":"6816f79cc0a8016401c5a33be04be441","user_input":""} ]

My config file

input {
http_poller {
urls => {
url => "https://dev63285.service-now.com/incident_list.do?JSONv2&display_value=True&sysparm_exclude_reference_link=True&sysparm_fields=number%2Cstate%2Copened_at%2Cclosed_at%2Cpriority%2Cassigned_to%2Cassignment_group%2Cactive%2Cimpact%2Curgency%2Cseverity&sysparm_limit=1sysparm_view=json_view"
}
request_timeout => 60
proxy => { host => "10.88.129.144" port => "80" scheme => "http"}
user => "admin"
password => "Snow2020*"
schedule => { cron => "* * * * *"}
codec => "json"
metadata_target => "http_poller_metadata"
}
}
filter
{
split {
field => "records"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "servicenowinc"
}
stdout {
codec => rubydebug
}
}

Getting below error when I run the config file.Please help.
"Only String and Array types are splittable. field:records is of type = NilClass"
C:/Elastic_Stack/logstash-7.5.1/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"tags" => [
[0] "_http_request_failure",
[1] "_split_type_failure"
],
"http_request_failure" => {
"error" => "connect timed out",
"backtrace" => nil,
"runtime_seconds" => 10.24,
"request" => {
"url" => "https://dev63285.service-now.com/incident_list.do?JSONv2&display_value=True&sysparm_exclude_reference_link=True&sysparm_fields=number%2Cstate%2Copened_at%2Cclosed_at%2Cpriority%2Cassigned_to%2Cassignment_group%2Cactive%2Cimpact%2Curgency%2Cseverity&sysparm_limit=1sysparm_view=json_view",
"method" => "get"
},
"name" => "url"
},
"@timestamp" => 2020-01-22T09:27:10.596Z,
"@version" => "1",
"http_poller_metadata" => {
"host" => "DESKTOP-JRAAHA2",
"runtime_seconds" => nil,
"request" => {
"url" => "https://dev63285.service-now.com/incident_list.do?JSONv2&display_value=True&sysparm_exclude_reference_link=True&sysparm_fields=number%2Cstate%2Copened_at%2Cclosed_at%2Cpriority%2Cassigned_to%2Cassignment_group%2Cactive%2Cimpact%2Curgency%2Cseverity&sysparm_limit=1sysparm_view=json_view",
"method" => "get"
},
"name" => "url"
}
}
[2020-01-22T14:58:10,284][WARN ][logstash.filters.split ][main] Only String and Array types are splittable. field:records is of type = NilClass
{
"tags" => [
[0] "_http_request_failure",
[1] "_split_type_failure"

Hi

You seem to have a problem in your http_poller{} input plugin. It doesn't generate any response, so your records field does not exist and that's why you get a _split_type_failure tag as well (only strings and arrays can be split).

Check your http_poller{} syntax and parameters.

Does the url work if you paste it on your browser? or with curl/wget?

On a side note, do not post credentials on forums! (or anywhere else, for that matter).

Hope this helps.

Hi Jordi,

Yes I pasted the URL in browser and verified.It works and it had 3 tabs JSON,Raw Data,Headers.

Thanks,
Ramya

If the request works in your browser then the problem is likely in the proxy.

Thanks Badger.
I commented the proxy server ,username and password from my config file.
Now I am not getting http_request_failure.But getting _split_type_failure.I have attached the raw data and config file in my first post.Kindly help.
Error:
[2020-01-24T21:21:02,411][WARN ][logstash.filters.split ][main] Only String and Array types are splittable. field:records is of type = NilClass
C:/Elastic_Stack/logstash-7.5.1/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"tags" => [
[0] "_split_type_failure"
],
"@timestamp" => 2020-01-24T15:51:02.184Z,
"@version" => "1",
"http_poller_metadata" => {
"response_message" => "Unauthorized",
"times_retried" => 0,
"request" => {
"url" => "https://dev63285.service-now.com/incident_list.do?JSONv2&display_value=True&sysparm_exclude_reference_link=True&sysparm_fields=number%2Cstate%2Copened_at%2Cclosed_at%2Cpriority%2Cassigned_to%2Cassignment_group%2Cactive%2Cimpact%2Curgency%2Cseverity&sysparm_limit=1sysparm_view=json_view",
"method" => "get"
},
"runtime_seconds" => 2.02,
"host" => "DESKTOP-JRAAHA2",
"response_headers" => {
"www-authenticate" => "BASIC realm="Service-now"",
"strict-transport-security" => "max-age=63072000; includeSubDomains",
"set-cookie" => [
[0] "JSESSIONID=7BF827C5956824780B96A30799C4C5EA; Path=/; HttpOnly;Secure",
[1] "BIGipServerpool_dev63285=2424395786.35136.0000; path=/; Httponly; Secure"
],
"date" => "Fri, 24 Jan 2020 15:51:02 GMT",
"connection" => "close",
"content-length" => "0",
"server" => "ServiceNow"
},
"code" => 401,
"name" => "url"
}
}

There is no [records] field in that event, so it fails to split it.

Hi Badger,

Thanks for the reply.Which field do I need to use instead of records to achieve the splitting.Can you please check my raw data and tell me?

Thanks and Regards,
Ramya

I do not think you are getting any records.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.