I have inputted two json files from logstash, from a variable named file , i want to create few fields using dissect filter, but this is giving me error:
this is my json input file:
{
"tags": [
"jdkinstall",
"class",
"download",
"jdkinstall::download",
"file",
"default",
"node"
],
"file": "/etc/puppetlabs/code/environments/aem_prod/modules/jdkinstall/manifests/download.pp",
"type": "File",
"title": "/apps/Binariesjdk",
"line": 7,
"resource": "6485158671b69e7dsfr0374sadfgfds813ffbaf",
"environment": "aem_prod",
"certname": "hostname.com",
"parameters": {
"mode": "0750",
"group": "webadm",
"owner": "webadm",
"backup": false,
"ensure": "directory"
},
"exported": false
},
my logstash configuration file is:
input {
file {
path => "/usr/share/logstash/bin/puppet_metrics/*.json"
type => "json"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
dissect {
mapping => {
"file" => "%{} %{} %{} %{} %{environment} %{} %{module} %{} %{}"
}
}
}
output {
elasticsearch {
hosts => "192.168.2.101:9200"
manage_template => false
index => "logstash-%{+YYYY.MM.dd}"
user => "abhishek"
password => "2fudge"
}
}
Error is repetition of similar lines:
[WARN ] 2018-10-09 09:01:12.316 [Ruby-0-Thread-9: :1] Dissector - Dissector mapping, field not found in event {"field"=>"file", "event"=>{"type"=>"json", "@timestamp"=>2018-10-09T07:01:12.166Z, "path"=>"/usr/share/logstash/bin/puppet_metrics/resources.json", "host"=>"VM-1032011537", "@version"=>"1", "message"=>" "environment": "aem_uat","}}
[INFO ] 2018-10-09 09:01:13.319 [[main]>worker3] pipeline - Pipeline has terminated {:pipeline_id=>"main", :thread=>"#<Thread:0x7672b334 run>"}
help would be appreciated, thanks