Why the host mapping is not wokring

Elastic Stack Logstash
1

Hi Team,

Need clarification on why this mapping is not working.
Logstash field,
"host" => "vzon-pdm-prod.gnm.dns.denc.nka.net"

Template mapping:
"host": {"type": "keyword" }

Its throwing below error while sending mapping to Elastic,

Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"lsh-usa_verizon_core2a_8650sdm_v4-2019.11.23", :_type=>"_doc", :_routing=>nil}, #LogStash::Event:0x7986175f], :response=>{"index"=>{"_index"=>"lsh-usa_verizon_core2a_8650sdm_v4-2019.11.23", "_type"=>"_doc", "_id"=>"B7aMlm4BIqQPqzL49rWu", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to find type parsed [string] for [host]"}}}}

2

If you use

output { stdout { codec => rubydebug } }

what do the [host] and [logtime] fields look like?

3

Hi Badger,

"host" => "vzon-pdm-prod.gnm.dns.denc.nka.net)"
I got rid of the host issue, am able to send host to the elastic.

However date mapping is giving me trouble,

logtime from grok stdout debug:

"logtime" => "2019-11-20 17:31:46"

Grok mapping:
{TIMESTAMP_ISO8601:logtime}

Date parsing:
date
{
match => [ "logtime" ,"yyyy-MM-dd HH-mm-ss"]
timezone => UTC
target => "logtime"
}
Template mapping:
"logtime": {"type": "date", "format" : "yyyy-MM-dd HH-mm-ss"}

Error while sending to elastic:

[2019-11-25T01:23:07,800][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"lsh-new-tempindexfor8650sdm_v4-2019.11.25", :_type=>"sdmmapping", :_routing=>nil}, #LogStash::Event:0x5e4e0083], :response=>{"index"=>{"_index"=>"lsh-new-tempindexfor8650sdm_v4-2019.11.25", "_type"=>"sdmmapping", "_id"=>"z99xoW4BoNYXwHJfTgZZ", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [logtime] of type [date] in document with id 'z99xoW4BoNYXwHJfTgZZ'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: "2019-11-20 17:31:46" is malformed at "-11-20 17:31:46""}}}}}

A quick help reply on this will be great help for me please :slight_smile:

4

You have used a date filter to convert [logtime] to a LogStash::Timestamp. I don't think you need a template for the field once you have done that. elasticsearch will by default convert it to a date.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.