I see the problem. Please keep in mind whenever you are using the for loop in the parser you must initialize the variables you will be using in the loop. Otherwise the results are unpredictable - by that I mean when you run the parser you may get no errors but when you run again you may get errors. So you got lucky when you submitted the parser. And also you may not have encountered this particular log on which it was failing at the time of validation. So if you run the parser again on the log you sent here it will fail and also succeed. To fix this this is what you have to do - add the mutate command to initialize the event to be null in the for loop:
for index, msg in gi_event {
mutate {
replace => {
"event" => ""
}
}
mutate {
convert => {
"msg.src_port" => "integer"
I see the problem. Please keep in mind whenever you are using the for loop in the parser you must initialize the variables you will be using in the loop. Otherwise the results are unpredictable - by that I mean when you run the parser you may get no errors but when you run again you may get errors. So you got lucky when you submitted the parser. And also you may not have encountered this particular log on which it was failing at the time of validation. So if you run the parser again on the log you sent here it will fail and also succeed. To fix this this is what you have to do - add the mutate command to initialize the event to be null in the for loop:
for index, msg in gi_event {
mutate {
replace => {
"event" => ""
}
}
mutate {
convert => {
"msg.src_port" => "integer"
Thanks for the clarification provided. We have incorporated the logic of initialising the event to null in our parser code but still we encounter the same issue(i.e) Only one event is getting generated during live log ingestion
Please post the json log where you are seeing this problem. Make sure to obfuscate the data before posting.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.