Problem with field mapping


(Andreas) #1

Hi all

I use ruby web call inside a logstash filter in order to enrich log data. I call a URL with the content of an existing field and I would like to put the response into a new field. The code works and I can find the field with propper content, but the resulting field is not mapped according to Kibana. And yes, I did the reload. But the field is also not shown in Kibana - settings - index pattern -fields.

The field I'm talking about is called greycode_verdict.

Here the relevant part of my logstash filter:

ruby {
  init => "
    require 'net/http'
  "
   code => "
    sha256hash = event.get('[sha256]')
    uri = URI.parse('http://greycode:42042/' + sha256hash) 
    response = Net::HTTP.get_response(uri)
    if response.code == '200'
      result = response.body
      event.set('[greycode_verdict]', result)
    else
      event.set('[greycode_verdict]', 'ERROR reaching greycode web service')
    end
  "
}

I tried to add the field in front of the ruby part with

add_field => {"greycode_verdict" => "no verdict yet"}

but I guess I'm misinterpreting the problem...

Thanks for your help


#2

Do you have a template for the index in question?


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.