volcano
January 13, 2020, 3:50pm
1
Here is this entry in logstash.conf
mutate {
split => ["message","Employee"]
add_field => {"part1" =>"%{[message][0]}"}
add_field => {"part2" =>"%{[message][1]}"}
}
mutate {
split => ["part2","#"]
add_field => {"part2_1" =>"%{[part2][0]}"}
add_field => {"part2_2" =>"%{[part2][1]}"}
}
This adds part1 , part2 , part2_1 and part2_2 fields in Kibana's Available field list.
But my requirement is to add only part2_2 field . rest of the fields are not required in Kibana.
What changes I should make here so that only part2_2 field is added in Kibana's Available field list.
mattkime
January 14, 2020, 2:19am
2
Hello @volcano - Which version of the elastic stack are you running? Do you need those fields to be in elasticsearch aside from usage in Kibana?
volcano
January 14, 2020, 4:35am
3
I dont want field part1 to be pushed to elasticsearch and then to Kibana. I want only part2 to be pushed to elastic search and kibana.
I am worried about the syntax. I am changing this way
From this...
mutate {
split => ["message","Employee"]
add_field => {"part1" =>"%{[message][0]}"}
add_field => {"part2" =>"%{[message][1]}"}
}
To this
mutate {
split => ["message","Employee"]
part1 =>"%{[message][0]}"}
add_field => {"part2" =>"%{[message][1]}"}
}
look at part1 above . Is this correct syntax not to add the field? I am stuck at this spot.
I am using elastic search managed service in AWS . version 7.1.1
mattkime
January 14, 2020, 11:16pm
4
system
February 11, 2020, 11:16pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.