search

elastic / logstash

Logstash - transport and process your logs, events, or other data
https://www.elastic.co/products/logstash
Other
106 stars 3.51k forks source link

user-agent no target specified #1822

Closed cdenneen closed 10 years ago

cdenneen commented 10 years ago

The filter is supposed to place "name,os,os_name,device" in the root of the event if target isn't specified. Without specified none of the fields are created.

By changing to have a target of "ua" it creates the fields but removing that target line results in no fields being written out even though cs_useragent in this case contains content:

                useragent {
                        add_tag => [ "UA" ]
                        source => "cs_useragent"
                        target => "ua"
                }

Also could wrap this with a conditional if cs_useragent =~ /-/ but I would think the filter should be updated to state if source value is "-" or "" then don't populate UA fields with "Other".

untergeek commented 10 years ago

I'm sorry to hear you're having a hard time with the useragent filter. If I understand correctly, you're saying that if you do not specify a target =>, you do not see any fields?

I wonder if there is something else going on, like a field name collision (e.g. you have a name field already). We do recommend using a target as it prevents this sort of thing from happening.

Can you tell me the steps I can try to reproduce this?

That said, my own use has been working at the root level for quite some time:

screen shot 2014-10-01 at 11 29 46 am

Thoughts?

cdenneen commented 10 years ago

I'm running 1.4.2 with milestone 3 of useragent.rb The steps to reproduce are removing target and no "name","os","os_name",etc fields are created. I could see possibility of some collisions (none in my setup) but this wouldn't explain ALL fields from not being created.

Here are the versions deployed on the system: CentOS 6.5 logstash-1.4.2-1_2c0f5a1.noarch logstash-contrib-1.4.2-1_efd53ef.noarch

jordansissel commented 10 years ago

Without specifying target it works for me on master:

% bin/logstash -e 'filter { useragent { source => "message" } }'
SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)
{
  "message"    => "SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)",
  "@version"   => "1",
  "@timestamp" => "2014-10-02T06:13:05.771Z",
  "type"       => "stdin",
  "host"       => "oh-my",
  "name"       => "UP.Browser",
  "os"         => "Other",
  "os_name"    => "Other",
  "device"     => "Spider",
  "major"      => "6",
  "minor"      => "2",
  "patch"      => "3"
}
jordansissel commented 10 years ago

Same example above works for me also in logstash 1.4.2

cdenneen commented 10 years ago

You are absolutely correct... I was using a useragent that actually returned "Other" for every single field and because Other is "useless" I drop those fields if any of them are "Other"... Basically caught by my own cleanup :(