I have no idea.
Problem Statement
I believe there is a bug in the ruby filter plugin when using event.remove
Expected Output:
...
event_data.sql_text => "some sql text"
event_data.logType => "Oracle"
...
With no root fields (e.g., sql_text or logType). All data should reside under event_data nested object.
Background:
I am using docker instances to run an ES stack (3 Elasticsearches, 1 Logstash).
I have tested this with docker versions 6.0.0 and 6.3.0 for Logstash.
I'm pulling in data from variety of source…
Looks very much the same.
If have created a script and pointed have the path variable point to it.
In this script I created a new event with
def filter(event)
docs = []
new_event = LogStash::Event.new
*<code>*
docs.push(new_event)
return docs
and fill this event with correct format
To no avail
I cannot remove the fields in a hardcoded way because the formats of the events differ.
Regards Hans