This is actually valid JSON, but ElasticSearch (as of v2) has decided that since
Kibana uses '.' as a delimeter between fields, that ElasticSearch would disallow
'.' in field names.
There is not currently a plugin to go through and sanitize field names. It's
been requested for a while, but hasn't bubbled up to the top of anyone's to-do
list yet. I got a quote to implement this (500 euro), but my company got tangled
in internal politics on the issue and is not going to be able to do so anytime
soon.
In the meantime you can use the set and unset commands to manually rename the
fields that your logs have that have . in them
for example, for the event.tags created by liblognorm you can do:
set event_tags = event.tags;
unset event.tags;
This isn't a good work-around, but it does work. If anyone is able to drum up
sponsorship for the feature, it can be available pretty quickly.
David Lang
On Tue, 28 Jun 2016, Alec Swan wrote:
Hello,
I am using rsyslog 8.19.0 with mmnorlamize and liblognorn to parse our log
messages and convert them to JSON. After that I use omelaticsearch to send
JSON to Elasticsearch 2.2.3.
I noticed the following recurring error in the Elasticsearch logs, which
makes me believe that one of the plugins listed above is producing invalid
JSON. Which plugin would that be and is there a fix for this?
*Unexpected character ('.' (code 46)): expected a hex-digit for
character escape sequence*
Thanks,
Alec
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
