Problem’s processing or storing decimal starting with 0.0

Elastic Stack Elasticsearch
1

Hi, I'm trying to store values like 0.033 but Elasticsearch it's storing just 0.

The Log come from a file to LOGSTASH them process with GROK (in https://grokdebug.herokuapp.com/ the debug work fine) and store in Elasticsearch (0 was stored)

GROK Pattern:

"%{WORD:http.method} %{URIPATHPARAM:request} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response} %{NUMBER:bytes} "%{DATA:http.referrer}" "%{DATA:agent.browser}" "%{DATA:http.cookie}" %{NUMBER:RoundTrip:double}

LOG example:

"GET /test/test/test/test/app.min.js HTTP/1.1" 200 234566 "https://www.test.com/test.aspx" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" "BLAHBLAH=cookie" 0.033

Elasticsearch store:

],
"RoundTrip": [
0
],

I need store 0.033 (roundtrip)

Any Help ?

LOGSTASH Version: 7.8.1
Elasticsearch Version: 7.13.3

2

Welcome!

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

image
image764×92 16.4 KB

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

Coming back to your question.

Could you change

%{NUMBER:RoundTrip:double}

By

%{NUMBER:RoundTrip}

Then, could you share what is the exact full document you are seeing in Elasticsearch. For this do a

GET /INDEX/_doc/ID

Also share the mapping for your index.

LOGSTASH Version: 7.8.1
Elasticsearch Version: 7.13.3

And please don't mix versions. Use the same version for Logstash and Elasticsearch.

3

Thanks for the tips, yes I tried:

%{NUMBER:RoundTrip}

%{NUMBER:RoundTrip:double}

By the way you have a point I see the store was correctly done (I never perform a direct query over the index I was using only kibana for check the data:

"time" : "25/Oct/2021:21:30:00 -0300",
"http.version" : "1.1",
"RoundTrip" : "0.007",
"ioc_ip" : "None",

Then the problem is the representation of the data in kibana that show for the same doc ID this:

"RoundTrip": [
      0
    ],

Then it’s no a store or processing problem it’s maybe a data representation in Kibana, I will keep digging deeper about this, thanks again for all the tips

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.