Logstash timetaken not recognized as an integer

Daniel_Carucha_Altuz · November 7, 2018, 5:22pm

Hi, i have the next logline:

2018-11-07T13:48:26-03:00 localhost.localdomain haproxy[40370]: 10.5.38.210:55125 [07/Nov/2018:13:48:26.791] https-in~ default_443/anseswww71.anses.gov.ar 101/0/1/83/185 200 604 - - ---- 335/325/4/1/0 0/0 "POST /autoconsultas/dondecobro.php HTTP/1.1"

So i parse it using grok with this pattern
%{SYSLOGLINE}%{IPV4:ip_origen}:%{NUMBER:puerto:LONG} %{SYSLOG5424SD} %{URIHOST:FrontendName}~? %{WORD:Granja}/<?%{URIHOST:RoutedHost}>? %{INT:TR}/%{NUMBER:TimeWaiting}/%{NUMBER:TimeToConnection}/%{NUMBER:ServerTimeResponse:INT}/%{NUMBER:TimeTaken:INT} %{NUMBER:Response} %{NUMBER:Bytesread:INT} - - %{DATA:SC}? %{NUMBER:ConcurrentConnectionsOnProcess:INT}/%{NUMBER:ConcurrentConnectionOnFrontend:INT}/%{NUMBER:ConcurrentConnectionOnBackend:INT}/%{NUMBER:ConnectionsOnServer:INT}/%{NUMBER:Retries:INT} %{WORD:aa}/%{WORD:aa} ("%{WORD:Method} %{URIPATHPARAM:Url} HTTP/1.1)

My problem is that in kibana, i don't see "timetaken" as an integer... it keeps showing me timetaken as a string.

Is there any way to convert it in logstash or in elastic? i need to get the average timetaken for my visualizations.

Thanks!

AquaX · November 9, 2018, 7:41pm

Are you defining a template when you are writing to elasticsearch?
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-template

Although elasticsearch is generally pretty good at figure out which data type belongs where you may need to check that the template that gets created for your index and compare it to the data that you actually have.

system · December 7, 2018, 7:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.