tootedom
commented
9 years ago The small knock on effect of not being able to specify the data type in the Oniguruma pattern style, Is that logstash no longer converts a - (that's a hyphen) to the base data type's default value.
So if you set up a template mapping in elasticsearch, i.e.
"ngx_upstream_response_time" : { "index": "not_analyzed", "type": "float" },but the logstash sends a "-" (missing data), elasticsearch throws a NumberFormatException, and 400 back to logstash, which drops the message, outputting the dropped message to logstash.log (which if you have millions of logs eats all the disk on the instance :-)
Example:
input {
stdin { }
}
filter {
grok {
patterns_dir => "/opt/logstash/patterns/"
match => [ "message", "upstream_response_time:(?<ngx_upstream_response_time:float>[0-9\-.]{1,999})"]
}
}
output {
stdout { codec => rubydebug }
}1.4.2 would convert to 0.0 as follows:
echo "upstream_response_time:-" | logstash-1.4.2/bin/logstash -f filter.conf
{
"message" => "upstream_response_time:-",
"@version" => "1",
"@timestamp" => "2015-07-04T10:20:53.177Z",
"ngx_upstream_response_time" => 0.0
}
robfr
This Oniguruma pattern: (?throughputtime:int[0-9]+) now results in the field "int" in elasticsearch, and not "throughputtime" as an int type in elasticsearch.
We noticed this issue after upgrading from 1.4.2 to 1.5.2. The problem presented itself in 1.5.0 of logstash.
Replication is as follows:
message:
Config:
Running in 1.4.2 results in the following:
Running in 1.5.0 results in the following:
Simple command line examples:
1.4.3
1.5.0
1.5.2
I've looked at the changelog.md and nothing indicate a breaking change with regards to GROK and this field matching and type specification. Is this a known issue?
thanks /dom