Skip to content
This repository has been archived by the owner on Dec 15, 2020. It is now read-only.

Cannot publish events to es2x because of '.' character in field name #32

Open
adriananeci opened this issue Aug 17, 2017 · 0 comments
Open

Comments

@adriananeci
Copy link

adriananeci commented Aug 17, 2017

Hi Joshua,

I'm not able to index event in elasticsearch v 2.4.1. The ping beat is successfully connecting to es.

Detected Elasticsearch 2.x. Automatically selecting the 2.x version of the template 2017/08/16 12:54:02.146438 beat.go:221: INFO pingbeat start running. 2017/08/16 12:54:02.146470 pingbeat.go:79: INFO pingbeat is running! Hit CTRL-C to stop it. 2017/08/16 12:54:02.147816 pingbeat.go:107: INFO Using ip4:icmp connection 2017/08/16 12:54:02.992963 client.go:588: INFO Elasticsearch template with name 'pingbeat' loaded
But after that it throw lots of warnings like:
client.go:442: WARN Can not index event (status=400): {"type":"mapper_parsing_exception","reason":"Field name [target.addr] cannot contain '.'"}

I think ProcessPing function from pingbeat.go should be adjusted in order to adapt the event fields based on the es version (e.g replace '.' with '_' in the field name for es2x ).
event := common.MapStr{ "@timestamp": common.Time(time.Now().UTC()), "type": "pingbeat", "target.name": name, "target.addr": ping.Target, "target.tags": tags, "loss": true, "reason": ping.LossReason, }

I've tried to recompile the pingbeat but it seems that go libraries for beat have been refactored and I've got a lot of errors :D.

Regards,
Adrian.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant