[LogStash] Failed to parse field [dns.resolved_ip] of type [ip] #9
Comments
|
Resolved this error by adding this: split => { "ipaddr" => ", " } Right above line 174 (in the 40-fortigate_2_ecs pipeline): copy =>{ "[ipaddr]"=> "[dns][resolved_ip]" } |
nicpenning
pushed a commit
to nicpenning/fortinet-2-elasticsearch
that referenced
this issue
Apr 8, 2020
Merged
|
Fixed with PR! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I am using the plugin filter mutate {copy =>{ "[ipaddr]"=> "[dns][resolved_ip]" } } and ipaddr contains multiple values ("127.0.0.1, 192.168.0.3, 192.168.0.4") and when I try to ingest this into ElasticSearch the field dns.resolved_ip is an IP so the error I am receiving is:
"status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [dns.resolved_ip] of type [ip] in document with id 'w3ZAWnEBlAHVcZpD_2dx'. Preview of field's value: '127.0.0.1, 192.168.0.3, 192.168.0.4'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'127.0.0.1, 192.168.0.3, 192.168.0.4' is not an IP string literal."
I think the ipaddr value needs to be parsed and break out the values into an array to show the end result like this:
"dns": {
"resolved_ip": [
"127.0.0.1",
"192.168.0.3",
"192.168.0.4"
],
Instead of
"dns": {
"resolved_ip": [
"127.0.0.1, 192.168.0.3, 192.168.0.4"
],
Which is not an IP address but just a string of text.
Let me know if you need any clarifications. I am working on a solution to parse the ipaddr data but if you already have one, please provide!
Thanks!
The text was updated successfully, but these errors were encountered: