Creating nested fields with Grok

I'm trying to create fields to measure request metrics from our profiler logs (i.e. number of requests, average request time, etc).

I have a filter with a grok match like such (shortened for simple understanding):

match = > {"message": {%WORD:request_type} {%NUMBER:num_of_requests:int}
for a log line with:
exampleRequestType 77

I want to create a nested field such as exampleRequestType.num_of_requests so that I can associate the various input metrics I'm getting, as I have many request types. However, I get an error when i tried these two different methods:

match => { "message" : => %{WORD:request_type} %{NUMBER:[request_type][num_of_requests]:int}
or by using the original match but doing a mutate rename:
rename => { "num_of_requests" => "[request_type][num_of_requests]" }

What is the correct way to do this? Thank you

In elasticsearch, a field can either be a value, such as a string or number or date, or an object that contains other fields. It cannot be both. So you cannot have request_type be the string "exampleRequestType" and also contain a sub-field [num_of_requests].

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.