Beats Input not working

I have define a Beats input but it seems it is not reading log files , When I click on “Show Received Messages” it prints the following:

While retrieving data for this widget, the following error(s) occurred:

• Unable to perform search query: [query_string] query does not support [auto_generate_synonyms_phrase_query].

From the below ., I can see no messages is received

Throughput / Metrics

1 minute average rate: 0 msg/s
Network IO: 0B 0B (total: 0B 0B )
Active connections: 0 (0 total)
Empty messages discarded: 0

2. Describe your environment:

• RedHat 7

I have installed all the Graylog software modules on the same host which generates logs.

Hello @mdanehpash

This maybe from your Elasticsearch/OpenSearch version. Hard to tell without knowing the versions installed on this stack . More info would help.

Hi @gsmith,

Here are the version of software:

elasticsearch-6.0.0-1.noarch
mongodb-org-server-4.0.28-1.el7.x86_64
filebeat-8.4.1-1.x86_64
graylog-3.2-repository-1-1.noarch
graylog-sidecar-1.2.0-1.x86_64

Capture1429×998 161 KB

Capture21455×1019 134 KB

Capture31105×974 92.8 KB

Hello,

auto_generate_synonyms_phrase_query

Introduced in Elasticsearch 6.1.0. Perhaps try upgrading your ES to that version?

• Add auto_generate_synonyms_phrase_query parameter · Issue #3149 · elastic/elasticsearch-net · GitHub

I installed Elasticsearch 6.1 which resolved the issue, now I get the below error message:

While retrieving data for this widget, the following error(s) occurred:

• Search type returned error: failed to parse date field [1970-01-01 00:00:00.000] with format [8yyyy-MM-dd HH:mm:ss.SSS].

Hello,

Oh boy just cant win… you have a timestamp issue that elasticsearch does not like, perhaps remove the “8”

Hi gsmith

Is elasticsearch parsing the date within the input file by transported by Beats? where is this date? how can I correct; My log files content samples are:

Fri Oct 7 10:04:23 2022 Non Idle State Event Report being requested for MIREK
Fri Oct 7 10:04:23 2022 Non Idle State Event Report being requested for VIPULA_T1

and

2022/08/30 14:20:51 INFO 2Waiting for qitem on error queue:report_error
2022/08/30 14:21:38 INFO Shutting DOWN

I do not see format [8yyyy-MM-dd HH:mm:ss.SSS].

I’m not 100% sure what is happening, All I know is Elasticsearch does not like your timestamp field.
If you have any configurations manipulating failed to parse date field like Extractors/Pipelines or log shippers. I would double check to ensure its good, If not then we would need more information to find out what the exact issue is. More detailed information from the logs or any configurations made would be helpful.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.