I've been trying to use logstash to query for elasticsearch events so that I could fill up some fields with more human readable data. I have one index for person names, which I try to use to enhance other fields when I'm indexing other kinds of events.
I quess there is something wrong with my query string, but I don't know what. I just keep getting this warning and the person_query_failed tag:
[2019-10-03T10:38:52,759][WARN ][logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"logstash-people", :error=>"Unexpected character ('}' (code 125)): was expecting a colon to separate field name and value\n at [Source: (byte[])\"{\n \"query\": {\n \"query_string\": { \"query\": { \"id:109\" } }\n },\n \"_source\": { \"cn\" }\n}\"; line: 3, column: 42]"}
[2019-10-03T10:38:52,760][WARN ][logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"logstash-people", :error=>"Unexpected character ('}' (code 125)): was expecting a colon to separate field name and value\n at [Source: (byte[])\"{\n \"query\": {\n \"query_string\": { \"query\": { \"id:4\" } }\n },\n \"_source\": { \"cn\" }\n}\"; line: 3, column: 40]"}
[2019-10-03T10:38:52,764][WARN ][logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"logstash-people", :error=>"Unexpected character ('}' (code 125)): was expecting a colon to separate field name and value\n at [Source: (byte[])\"{\n \"query\": {\n \"query_string\": { \"query\": { \"id:49\" } }\n },\n \"_source\": { \"cn\" }\n}\"; line: 3, column: 41]"}
This is my query template person_query.json:
{
"query": {
"query_string": { "query": { "id:%{[dn_people]}" } }
},
"_source": { "cn" }
}
And here is my logstash filter configuration:
filter {
elasticsearch {
hosts => [ "https://localhost:9200" ]
index => "logstash-people"
query_template => "/path/to/person_query.json"
fields => { "cn" => "person" }
user => admin
password => password
ca_file => "/etc/elasticsearch/root-ca.pem"
tag_on_failure => person_query_failed
}
}
When looking at the warn logs, at least the query string itself seems to function as it should: "id:%{[dn_people]}" translates to \"id:109\", \"id:4\" and \"id:125\" respectively.
When writing my query, I've been looking at this: https://discuss.elastic.co/t/how-to-query-elasticsearch-and-take-some-fields-from-old-data/75300/3
Could someone help and push me in the right direction in fixing this?
I'm using Opendistro for Elasticsearch.
person_query.json
is invalid. This should be valid:{ "query": { "query_string": { "query": "id:%{[dn_people]}" } }, "_source": "cn" }
– baudsp