Field disabled (elastic)

(charlie) #1

Hi Everyone,

Quick question. I have Graylog (2.4.6) capturing some syslogging for me. I imported a cisco ASA extractor from the market place without any issues and I can see the messages showing up under my search. However, when I try to display world map data for the source IPs I get the following error in my elastic logs:

Caused by: java.lang.IllegalArgumentException: Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.

From what I can understand, this is intentional (Link: No message quickvalues in fresh install).

Any idea how I can display my data with these views without breaking the Graylog convention/standards?

(John Buchanan) #2

Out of curiosity, which extractor are you using? I use a simple GROK pattern against our incoming ASA traffic to new field “source_ip”, and the geolocation data executes fine.

(charlie) #3

I’m actually trying sonicwall and ASA extractors from the market place

For the sonicwall extractor, when attempting to use the world map on the src_ip field, I get all sorts of errors, despite it looking what I believe to be right:

I must have extractors wrong, because my log file is full of exceptions like this:

2018-08-07T09:56:54.802+12:00 ERROR [Extractor] Could not apply converter .
java.lang.IllegalArgumentException: Invalid format: “id=firewall sn=18B1690D3AB8 time…”
at org.joda.time.format.DateTimeFormatter.parseDateTime( ~[graylog.jar:?]

(Jan Doberstein) #4

Did you see this posting?

(charlie) #5

Thanks, that looks great