I have setup a self hosted elastic stack with kibana to track logs for a web application (ruby on rails). I am pushing the production logs to elastic using fleet. I am creating the log in JSON fromat from the application, and a typical log looks like below.
{"method":"POST","path":<url>","format":"html","controller":"<class_name>","action":"<method>","status":200,"duration":71.21,"view":0.28,"db":0.0,"params":{<data>},"host":"<domain>","user_id":102,"time":"2023-02-23 12:52:31 +0000","ip":"<ip>"}
I use the following processor to decode the JSON
- decode_json_fields:
fields: ["message"]
max_depth: 1
target: "parsed_result"
when:
regexp:
message: '\"path\":\"'
The above code does its job by decoding the results and showing them as parsed_result.controller, parsed_result.user_id, etc. But its also decoding the whole of the params field as well.
How can I prevent the decoding of params field, and just store the data inside params as a huge json/hash?