Avoid overridding of default message field in logstash

javatechy · October 16, 2016, 12:10pm

I am using logstash to parse my logs. when i am parsing the json (which contains a "message" field) overrides the default message field. I tried using remove_field option of json{ } filter but that didn't work work for me.

Here is my filter code:
filter {
mutate { gsub => ["message",""","'"] }
mutate { gsub => ["message",".","_"] }
csv {
columns => ["TIMESTAMP","HEADERS","FIELD1","FIELD2","FIELD2_TIME","INTER_FIELD2"]
separator => "|"
}
mutate { gsub => ["FIELD1", "'", '"']}
json { source => "FIELD1" remove_field => [ "message" ] }
mutate { gsub => ["FIELD2", "'", '"']}
json { source => "FIELD2" remove_field => [ "message" ] }
}

How to avoid overriding of the message field ?

magnusbaeck · October 16, 2016, 3:40pm

You can't. As a workaround you can use the json filter's target option to choose where to store the results of the parsed JSON, then selectively move the fields you want to keep into the top level (if that's where you want to store them).

javatechy · October 17, 2016, 2:09pm

thanks @magnusbaeck I used this

json { source => "REQUEST" target => "request" }

and it worked for me.

Topic		Replies	Views
How to remove original message field after parsing using json filter Logstash	2	3098	June 3, 2021
Json filter message filed Logstash	4	270	July 7, 2020
To get message field for json filter Logstash	6	236	August 9, 2023
Remove / using logstash filter Logstash	4	303	November 5, 2022
Logstash Filter JSON syslog message field is not getting parsed Logstash	4	555	August 15, 2022

Avoid overridding of default message field in logstash

Related topics