Unable to parse "message" field using filbeats

sid_nikhil · December 26, 2018, 4:31am

I a trying to parse message field and store its value in a scripted filed

return doc['message'].value;

But the above query gives error ( 3 of 14 shards failed) when in click on Discover:

But the same query works fine for all other fields:

return doc['source'].value;

my actual message field is

message : 2018-12-21 02:31:31,792;INFO ;XSYD.2.5.0.1a5e8-uye1-9d87-8744-5343db306cd8;1;0;;GETCONFPRO;0;

I want to split by ; and get the timestamp

I am very new to ELK .Can someone please suggest how to do that.

Nathan_Reese · December 26, 2018, 3:01pm

Can you please provide some more details about the shard failure message. In Discover, click Inspect. Then click Response tab. Can you provide the contents of the response?

sid_nikhil · December 26, 2018, 3:08pm

After clicking discover
in the page that opened i did right click -> inspect.
Got response tab in NetworK tab

{"responses":[{"took":5,"timed_out":false,"_shards":{"total":14,"successful":14,"skipped":0,"failed":0},"hits":{"total":0,"max_score":null,"hits":[]},"aggregations":{"2":{"buckets":[]}},"status":200}]}

system · January 23, 2019, 3:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.