#logstash

looks like elasticsearch is analyzing fields so that program names like "puppet-master" are two separate terms, which is wonkin' up my kibana dashes. i set a default-mapping.json in my elasticsearch config dir to specify that field "program" not be analyzed and rolled over a new index, but it looks ilke that field is still being analzyed (terms being split by hyphens). what am i missing?

kizzale: are you certain you've applied the mapping?

kizzale: I've never put mappings in an elasticsearch config directory, I've always set them with the elasticsearch API

did you restart elasticsearch after adding your default-mapping.json? Have you verified that this setting is applied?

can I use a conditional to check if a field exists?

sagarC_: yes

sagarC_: if [somefield] { ... }

great, wasn't sure if I could actually use that. thanks

that should help a bit in grokking various syslog formats

Whack: bug submitted with I think everything to reproduce in 1669. Please let me know if you need anything else.

thanks!

New news from newjiraissues: Bryan Washer created LOGSTASH-1669 - Lumberjack input of muiltiline XML crashes the indexer and ES Master node <https://logstash.jira.com/browse/LOGSTASH-1669>;

does anyone have an elasticsearch index template to share with me?

that's a good starting point for logstash

hifire: 07:04 <goosemo> https://gist.github.com/untergeek/7359994

Title: Logstash v1.2+ Elasticsearch Mapping Template (at gist.github.com)

yessss

_BryanHm_: I commented on LOGSTASH-1669. Just a semi-educated guess, but maybe it'll help.

Jira issue [LOGSTASH-1669] Lumberjack input of muiltiline XML crashes the indexer and ES Master node - logstash.jira.com - https://logstash.jira.com/browse/LOGSTASH-1669

I was jsut reading...

I can test this in about 10 mins if you like

I made a test debug setup for this problem

just a thought.....but does it get path from the value once the file is found..or from the shipper configuration?

because I am using * in the middle of my paths to get multiple locations...since I DO NTO KNOW THE ACTUAL PATH BEFORE HAND

sorry about caps..its late

_BryanHm_: It's the actual filename...after the glob is expanded.

I was testing with a wildcard too.

ok I will try...but I wonder if that is the issue...

if you look at the forwarder config you will see what I did...I am almost ready to test your suggestion

still errors and crashes

PM'd you dump

I will retry with only one log file...

Is there a way I can debug the dns filter? I'm trying to do a reverse lookup, but don't see anything set (except that a tag is added), should I refer to the field I want to use as "%{foo}" or just "foo"?

greetings

is there any document for, 'how redis works with logstash' ??