RuntimeError: LogStash::Filters::Translate: can't convert Array into Hash when loading dictionary

imperfection_perfect · November 30, 2016, 2:34pm

Hi Team,

I have the following usescase,

I am on logstash 2.x

installed the logstash translate filter logstash-filter-translate-2.1.4

but this is not working and i get a run time error and says Pipeline Aborted.

can you please help with this.

> filter
> {
>  if [type] == "eventstats" {
>     grok {
>       remove_field => message
>       match => { message => "(?m)%{TIMESTAMP_ISO8601:sourceTimestamp} \[%{NUMBER:threadid}\] %{LOGLEVEL:loglevel}  - %{WORD:envName}\|%{IPORHOST:actualHostMachine}\|%{WORD:applicationName}\|%{NUMBER:empId}\|%{WORD:regionCode}\|%{DATA:country}\|%{DATA:eventName}\|%{NUMBER:staffeventId}\|%{WORD:eventEvent}" }

>       }

>     if !("_grokparsefailure" in [tags]) {
> 	  translate {
> 		field => "%{country}"
> 		destination => "mapdata"
> 		dictionary_path => '/opt/logstash/GeoIPDataFile/Json3LetterCountryCode.json'
> 	}

>       mutate {
> 		add_field => [ "[geoip][coordinates]", "%{[mapdata][longitude]}" ]
> 		add_field => [ "[geoip][coordinates]", "%{[mapdata][latitude]}"  ]
> 		remove_field => ["mapdata"]
> 		add_tag => "eventstats"
>         add_tag => [ "eventFor_%{eventName}" ]
> 	
>       }
>      }
>    }
>    
> }

magnusbaeck · December 5, 2016, 6:34am

field => "%{country}"

So the name of the country is stored in the country field? Change to:

field => "country"

With your current configuration you're saying "translate the field whose name is found in the country field" rather than "translate the country field".

but this is not working and i get a run time error and says Pipeline Aborted.

Without the exact error message it's usually very hard to help.

system · January 2, 2017, 6:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.