{"timestamp":"2017-11-13T17:09:32.878Z","level":"INFO","message":"Exchange [creators/createAllExchangersForUser]: Currencies to gen: ","meta":""}
After enabling JSON extractor for message field I have errors in my server log:
2017-11-13T16:58:56.475Z ERROR [BlockingBatchedESOutput] Unable to flush message buffer
java.lang.ClassCastException: Cannot cast java.lang.String to org.joda.time.DateTime
at java.lang.Class.cast(Class.java:3369) ~[?:1.8.0_151]
at org.graylog2.plugin.Message.getFieldAs(Message.java:384) ~[graylog.jar:?]
at org.graylog2.plugin.Message.getTimestamp(Message.java:189) ~[graylog.jar:?]
at org.graylog2.indexer.messages.Messages.propagateFailure(Messages.java:181) ~[graylog.jar:?]
at org.graylog2.indexer.messages.Messages.bulkIndex(Messages.java:145) ~[graylog.jar:?]
at org.graylog2.outputs.ElasticSearchOutput.writeMessageEntries(ElasticSearchOutput.java:111) ~[graylog.jar:?]
at org.graylog2.outputs.BlockingBatchedESOutput.flush(BlockingBatchedESOutput.java:129) [graylog.jar:?]
at org.graylog2.outputs.BlockingBatchedESOutput.writeMessageEntry(BlockingBatchedESOutput.java:110) [graylog.jar:?]
at org.graylog2.outputs.BlockingBatchedESOutput.write(BlockingBatchedESOutput.java:92) [graylog.jar:?]
at org.graylog2.buffers.processors.OutputBufferProcessor$1.run(OutputBufferProcessor.java:191) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_151]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_151]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_151]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_151]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
The timestamp field is vaild. How I can resolve this issue?
Graylog 2.3.2+3df951e on localhost (Oracle Corporation 1.8.0_151 on Linux 4.4.0-78-generic)
“timestamp” is a special field and has to be an actual date/time and not a string.
You can either use a “Key prefix” in your JSON extractor, so that the field will be extracted to another name (e. g. “timestamp” → “custom_timestamp”, “level” → “custom_level”) or write a pipeline rule which extracts the JSON payload with parse_json() and then converts the “timestamp” field to an actual date/time with parse_date().
It is absolutely valid ISO 8601 timesatmp https://www.regexpal.com/97766
Why have I use some pipeline rules or extract timestamp to another field when Graylog should parse this normally?
Well. I just renamed timestamp field from JSON and have got next error:
ERROR [Messages] Failed to index [3] messages. Please check the index error log in your web interface for the reason. Error: One or more of the items in the Bulk request failed, check BulkResult.getItems() for more information.
{"type":"mapper_parsing_exception","reason":"failed to parse [level]","caused_by":{"type":"number_format_exception","reason":"For input string: \"INFO\""}}
Looks like there is a problem with elasticsearch indices. I have two inputs - kafka and nginx (from filebeat). My nginx logs already mapped fields with different types.
Is it possible to write kafka input to another index?
It is okay now. I just created new index set and new stream with “Remove matches from ‘All messages’ stream” option. Now JSON parsing as expected. Thank you
