由于python-logstash不是官方开发包,更新效率也非常缓慢,在es升级至8.0后pipeline的处理方案也有较多变化,以至于直接沿用7.x的pipeline配置会出现以下Bug。
[ERROR][logstash.codecs.json ][udp_logs] JSON parse error, original data now in message field {:message=>"Could not set field 'ip' on object 'a93e511ca775' to value '172.17.0.1'.This is probably due to trying to set a field like [foo][bar] = someValuewhen [foo] is not either a map or a string", :exception=>Java::OrgLogstash::Accessors::InvalidFieldSetException, :data=>"{\"@timestamp\": \"2022-06-02T18:01:40.248Z\", \"@version\": \"1\", \"message\": \"{\\\"function\\\": \\\"user_logout\\\"}\", \"host\": \"a93e511ca775\", \"path\": \"/var/app/Kit/util.py\", \"tags\": [], \"type\": \"logstash\", \"level\": \"INFO\", \"logger_name\": \"logstash-13\", \"stack_info\": null, \"app\": \"csu_sign\", \"source\": \"csu_sign-service\"}"}
根据报错提示,核心问题是无法在host字段中写入ip信息
Could not set field 'ip' on object 'a93e511ca775' to value '172.17.0.1'
这个问题的核心原因是在配置pipeline时没有指定ecs_compatibility,导致在不同版本的处理方案不同,在7.x版本中若host字段存在会直接使用,但是在8.x中会自动在host字段下设置ip字段写入Logstash接收时数据包的ip来源。因此需要手动关闭ecs_compatibility设置,避免ip信息的自动写入。
input {
udp {
port => 9700
codec => json
ecs_compatibility => disabled
}
}
Appreciate your blog post… Really helped me to resolve the issue with my 7.x pipeline.
I deleted my host => “0.0.0.0” field and added ecs_compatibility to resolve JSON parse error, original data now in message field
{ :message=>”Could not set field ‘ip’ on object ” to value ‘10.0.5.1’.This is probably due to trying to set a field like [foo][bar] = someValuewhen [foo] is not either a map or a string”,
:exception=>Java::OrgLogstash::Accessors::InvalidFieldSetException,
Solved with following:
input {
udp {
port => 8080
codec => “json”
ecs_compatibility => disabled
}
}