Field disabled (elastic)

Hi Everyone,

Quick question. I have Graylog (2.4.6) capturing some syslogging for me. I imported a cisco ASA extractor from the market place without any issues and I can see the messages showing up under my search. However, when I try to display world map data for the source IPs I get the following error in my elastic logs:

Caused by: java.lang.IllegalArgumentException: Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.

From what I can understand, this is intentional (Link: No message quickvalues in fresh install).

Any idea how I can display my data with these views without breaking the Graylog convention/standards?

Out of curiosity, which extractor are you using? I use a simple GROK pattern against our incoming ASA traffic to new field “source_ip”, and the geolocation data executes fine.

I’m actually trying sonicwall and ASA extractors from the market place


For the sonicwall extractor, when attempting to use the world map on the src_ip field, I get all sorts of errors, despite it looking what I believe to be right:

Imgur

I must have extractors wrong, because my log file is full of exceptions like this:

2018-08-07T09:56:54.802+12:00 ERROR [Extractor] Could not apply converter 2019-01-03 17:04:04.
java.lang.IllegalArgumentException: Invalid format: “id=firewall sn=18B1690D3AB8 time…”
at org.joda.time.format.DateTimeFormatter.parseDateTime(DateTimeFormatter.java:945) ~[graylog.jar:?]

Did you see this posting?

1 Like

Thanks, that looks great

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.