let's have 2 different types of logs such fortinet , netasq logs , want:
grok fortinet using regex, ang grok netasq using other regex.
i know "type"in input file , "condition" in filter can resolve problem.
so used confing file :
input { file { type => "fortinet" path => "/fortinet/*.log" sincedb_path=>"/logstash-autre_version/var/.sincedb" start_position => 'beginning' } file { type => "netasq" path => "/home/netasq/*.log" } } filter { if [type] == "fortinet" { grok { patterns_dir => "/logstash-autre_version/patterns" match => [ "message" , "%{fortinet}" ] tag_on_failure => [ "failure_grok_exemple" ] break_on_match => false } } if [type] == "netasq" { # ....... } } output { elasticsearch { cluster => "logstash" } } and i'm getting error :
got error send bulk of actions: no method 'type' arguments(org.jruby.rubyarray) on java::orgelasticsearchactionindex::indexrequest {:level=>:error} but if don't use "type" , grok fortinet logs wroks.
what should ?
i'm not sure maybe helps:
i have same error , think caused use of these if statements:
if [type] == "fortinet" your type field compared "fortinet" maybe not possible because "fortinet" string , type isn't. times setting type input, if there type, type isn't replaced, new type added list old type. should have data in kibana (or wherever) , try find this:
\"type\":[\"fortinet\",\"some-other-type\"] maybe without \" .
if find try not set type of input explicitly , compare type in if-statement some-other-type have found.
hope works (i'm working more complex inputs/forwarders , me doesn't, worth try)
Comments
Post a Comment