[Oisf-users] Get from eve.json-> "event_type = file" parser error in elasticsearch
Eric Leblond
eric at regit.org
Wed Feb 12 09:03:46 UTC 2014
Hi,
On Wed, 2014-02-12 at 08:40 +0000, Stefan Sabolowitsch wrote:
> Hi all,
> Get from eve.json-> "event_type = file" parser error in elasticsearch.
> https://groups.google.com/d/msg/elasticsearch/1P3fM0oa7gU/8g0qqUxfPSoJ
>
> All other event types work without problem.
> The interesting thing is however, that can be parsing "files json.log" without problem.
> Has anyone already successfully sent eve.json-> "event_type = file“ to elastic search?
On a clean logstash installation, eve.json file event are correctly
parsed. By clean, I mean that it has only seen eve.json events.
You may have a conflict in elasticsearch because you have two format for
file events. I've seen that type of problem once when one of my student
did change the type of a key in the output. Injecting of the events did
fail after that.
If this problem is confirmed, we should maybe do something on code or
documentation side to fix this or describe how to fix this in
elasticsearch.
BR,
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list