Avoid overridding of default message field in logstash

javatechy · October 16, 2016, 12:10pm

I am using logstash to parse my logs. when i am parsing the json (which contains a "message" field) overrides the default message field. I tried using remove_field option of json{ } filter but that didn't work work for me.

Here is my filter code:
filter {
mutate { gsub => ["message",""","'"] }
mutate { gsub => ["message",".","_"] }
csv {
columns => ["TIMESTAMP","HEADERS","FIELD1","FIELD2","FIELD2_TIME","INTER_FIELD2"]
separator => "|"
}
mutate { gsub => ["FIELD1", "'", '"']}
json { source => "FIELD1" remove_field => [ "message" ] }
mutate { gsub => ["FIELD2", "'", '"']}
json { source => "FIELD2" remove_field => [ "message" ] }
}

How to avoid overriding of the message field ?

magnusbaeck · October 16, 2016, 3:40pm

You can't. As a workaround you can use the json filter's target option to choose where to store the results of the parsed JSON, then selectively move the fields you want to keep into the top level (if that's where you want to store them).

javatechy · October 17, 2016, 2:09pm

thanks @magnusbaeck I used this

json { source => "REQUEST" target => "request" }

and it worked for me.