Hi All, I've gotten a problem with my old logstash pipeline.
My config looks like this (everything is commented out during debugging):
[root@ALPHA00035 pipeline]# cat logstash.conf
input {
beats {
port => 5000
ecs_compatibility => disabled
}
syslog {
}
}
#############################################
# Interpret Portrait ERRORS log #
#############################################
#filter {
# if "portraiterrors" in [fields][logtype] {
# kv {
# source => "message"
# value_split => ":"
# field_split => "\n"
# include_keys => [ "Time", "Username", "Instance name", "Instancename", "Exception", "Exception type", "ErrorCode", "Module", "Procedure", "Version", "Memory usage" ]
# }
# if ![Instance name] {
# mutate {
# rename => { "Instancename" => "Instance name" }
# }
# }
# date {
# match => [ "Time", "MM/dd/yyyy HH:mm:ss aa", "M/d/yyyy HH:mm:ss aa", "M/d/yyyy H:m:ss aa", "dd-MM-yyyy HH:mm:ss", "d-M-yyyy HH:mm:ss", "MM/dd/yyyy", "M/d/yyyy", "dd-MM-yyyy", "d-M-yyyy" ]
# timezone => "Europe/Copenhagen"
# }
# }
#}
#############################################
#############################################
# Output to Elastic Search #
# Index name is defined by logtype #
#############################################
output {
elasticsearch {
hosts => "https://elasticsearch:9200"
index => "%{[[fields][logtype]}-%{[@metadata][version]}-%{+YYYY.MM}"
document_type => "%{[@metadata][type]}"
cacert => "/usr/share/logstash/config/certs/ca/ca.crt"
user => logstash_internal
password => <PW>
}
}
But when I start logstash
logstash | [2022-02-23T12:44:47,086][ERROR][logstash.javapipeline ][main] Pipeline worker error, the pipeline will be stopped {:pipeline_id=>"main", :error=>"Invalid FieldReference: `[[fields][logtype]`"
So what am I doing wrong now?