I found out what the issue is.
In 7.15, there was a change (Consolidate model.HTTP and model.Http by axw · Pull Request #5764 · elastic/apm-server · GitHub) where the body.original field turned from a nested field to a dotted field.
This breaks ingest node pipelines where every field is expected to be nested. I'd consider this a bug in APM Server.
I have a workaround for you, though. You can use the dot_expander processor to convert the dotted field name into a nested one:
PUT _ingest/pipeline/apm_parse_body
{
"description": "Parse APM message body content",
"processors": [
{
"dot_expander": {
"path": "http.request",
"field": "body.original"
}
},
{
"json": {
"if": "ctx.http?.request?.body?.original instanceof String && ctx.http?.request?.body?.original != '[REDACTED]'",
"field": "http.request.body.original"
}
}
]
}
DELETE /apm-test?ignore_unavailable=true
POST /apm-test/_doc?pipeline=apm_parse_body&refresh=true
{
"http": {
"request": {
"method": "PUT",
"body": {
"original": """[{"channel_id":"123456","channel_name":"Test","source_username":null,"url":"xyz.com"}]"""
}
}
}
}
POST /apm-test/_doc?pipeline=apm_parse_body&refresh=true
{
"http": {
"request": {
"method": "PUT",
"body.original": """[{"channel_id":"123456","channel_name":"Test","source_username":null,"url":"xyz.com"}]"""
}
}
}
POST /apm-test/_search