Graylog Indexer Failure On Exchange Logs

Graylog Central (peer support)
1

I have recently started getting the following Graylog Indexer Failures. I know I need to make a custom mapping but I can’t find the custom mapping file. Where is it located. I would also like to get help writing my mapping before applying it.

exchange_index_1 {“type”:“mapper_parsing_exception”,“reason”:“failed to parse [message_info]”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Invalid format: "04I:" is malformed at "I:"”}}

I can’t quite figure out what my mapping.json file should look like also. Can I get some help formatting this?

2

See http://docs.graylog.org/en/2.3/pages/configuration/elasticsearch.html#custom-index-mappings.

3

I understand how to read the documentation, but I don’t quite understand what fields in my message, go where in the custom .json mapping.

Is this all I need to add?

“mappings” : {
“message” : {
“properties” : {
“message_info” : {
“type” : “string”,
“index” : “not_analyzed”
},
}
}
}

4

That’s explained in the linked documentation and in the Elasticsearch documentation:

5

Again, I am reading the documentation, but I would like some verification that I am going the correct direction. Reading the documentation I sort of understand what I need to do, but my understanding is not complete and I don’t feel that I have formatted my custom string correctly.

Here is what I have created for my new exchange index. I named the mapping file exchange-custom-mapping.json

{
  "exchange-custom-mapping" : {
    "order" : 0,
    "template" : "exchange_*",
    "settings" : { },
    "mappings" : {
      "message" : {
        "properties" : {
          "message_info" : {
            "index" : "analyzed",
            "type" : "string"
          }
        }
      }
    },
    "aliases" : { }
  }
}
6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.