Please suggest me if there is a work around.
[2023-09-27T14:56:22,072][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}[2023-09-27T14:56:22,094][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}[2023-09-27T14:57:04,252][WARN ][logstash.outputs.opensearch][main][e88d14ed9d066b8862ff8822a615df883a8bf8bbb6c29a8ac8b57886c0a9c6a9] Could not index event to OpenSearch.{:status=>400, :action=>["index", {:_id=>"%{fingerprint}", :_index=>"abb-abo-abb1-xlm-2023.09.27", :routing=>nil}, {"HostIp"=>["10.10.188.18", "10.10.188.18", "10.10.188.18"], "message"=>"[140206525253504] 09/27/2023 14:57:03 [E] OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. Peer: 10.10.188.18:11890","ActualMsg"=>["OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. Peer: 10.10.188.18:11890", "OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. ", "OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. Peer: 10.10.188.18:11890", "OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. ", "OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. "], "Port"=>["11890", "11890", "11890"], "type"=>"abbmq", "aboach"=>["140206525253504", "140206525253504"], "event"=>{"hash"=>"f1bdbaaa1a05e04bf486856cf41e796d63d4d5d4", "original"=>"[140206525253504] 09/27/2023 14:57:03 [E] OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure. Peer: 10.10.188.18:11890"}, "partition"=>"abb1", "@version"=>"1", "podName"=>"abb","tags"=>["_dateparsefailure"], "@timestamp"=>2023-09-27T14:57:04.119983481Z, "log"=>{"file"=>{"path"=>"/var/abb/abbmq/logs/abbmq.log"}}, "host"=>"[host][name]", "nodeRole"=>"abb-abo-abb1-xlm", "productCode"=>"abb-abo", "loglevel"=>["E", "E"]}], :response=>{"index"=>{"_index"=>"abb-abo-abb1-xlm-2023.09.27", "_id"=>"%{fingerprint}", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}
Below is my grok
input {
file {
path => "/var/abb/abbmq/logs/abbmq.log"
start_position => "beginning"
type => "abbmq"
}
}
filter {
if [type] == "abbmq"{
grok
{
match => {"message" => "^\[%{INT:Epoach}\]%{SPACE}%{DATE_US:LogTimestamp}%{SPACE}%{HOUR:hr}:%{MINUTE:min}:%{SECOND:sec} \[%{WORD:loglevel}\]%{SPACE}%{GREEDYDATA:ActualMsg}"}
}
if [ActualMsg]
{
grok
{
# Get fields from actualMsg
match => {"ActualMsg" => "^%{GREEDYDATA:ActualMsg}\Peer.%{SPACE}%{IP:HostIp}\:%{INT:Port}"}
}
date
{
locale => "en"
match => [ "LogTimestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
timezone => "UTC"
target => "@timestamp"
}
mutate
{
remove_field => [ "LogTimestamp"]
}
mutate
{
remove_field => [ "hr", "min", "sec" ]
}
}
}
}
I tried to add the below
mutate {
replace => { "[host]" => "[host][name]" }
}
but still as issue.
I appreciate your help.