Decode_json_fields with message field

I am running into a problem of trying to process decode_json_fields on the message field out of a cloudwatch event. I have this field populated with a json string generated in a lambda function using JSON.stringify(obj) and have successfully parsed it to json. I have the error, my config below (with private info rewritten) and functionbeat version. I cannot get this to work at all, trying to figure out what I need to do to parse the message field into a json object usable in kibana.

when the functionbeat lambda runs, it is generating the error below (with private info rewritten)

{
    "type": "mapper_parsing_exception",
    "reason": "failed to parse field [message] of type [text] in document with id '_YnswHMBmRlFcyxayreH'. Preview of field's value: '{received_bytes=556, actions_executed=waf,forward, target_status_code_list=204, target_processing_time=0.002, ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256, type=https, sent_bytes=329, client_port=36789, target_port=32837, domain_name=api.greenchef.com, error_reason=-, elb=app/prod-lv-bifrost-ex/1d1234782507be97, client_ip=104.129.204.134, ssl_protocol=TLSv1.2, user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763, request_protocol=HTTP/1.1, request_verb=OPTIONS, target_group_arn=arn:aws:elasticloadbalancing:us-west-2:052248958630:targetgroup/prod-lv-bifrost-ex/345bfe1bb9e9e29e, trace_id=Root=1-5f2b3da3-88eac84eaef757520fb51ca4, matched_rule_priority=0, elb_status_code=204, request_url=https://api.greenchef.com:443/boot/lead-user/register, request_processing_time=0.001, chosen_cert_arn=arn:aws:iam::052248958630:server-certificate/greenchef-wildcard-2017, response_processing_time=0.000, target_status_code=204, target_ip=10.220.5.203, request_creation_time=2020-08-05T23:15:47.677000Z, target:port_list=10.220.5.203:32837, time=2020-08-05T23:15:47.680444Z, redirect_url=-}'",
    "caused_by": {
        "type": "illegal_state_exception",
        "reason": "Can't get text on a START_OBJECT at 1:282"
    }
}

below is an example of my config

########################## Functionbeat Configuration ###########################

cloud.id: "nope"
cloud.auth: "nope"

setup.ilm.enabled: true
setup.ilm.rollover_alias: "cloudwatch-message"
setup.ilm.policy_name: "cloudwatch-message"
setup.template.settings:
  index.number_of_replicas: 0

# Configure which S3 endpoint should we use.
functionbeat.provider.aws.endpoint: "s3.amazonaws.com"
# Configure which S3 bucket we should upload the lambda artifact.
functionbeat.provider.aws.deploy_bucket: "s3bucket"

functionbeat.provider.aws.functions:
  - name: cloudwatch-message
    description: "cloudwatch-message"
    enabled: true
    type: cloudwatch_logs
    triggers:
      - log_group_name: cloudwatch-message
    processors:
      - decode_json_fields:
          fields: ["message"]
          process_array: false
          max_depth: 1
          overwrite_keys: false
          add_error_key: true

functionbeat version 7.8.1 (amd64), libbeat 7.8.1 [94f7632be5d56a7928595da79f4b829ffe123744 built 2020-07-21 14:46:32 +0000 UTC]

Could you please share the debug logs of Functionbeat? Also, have you tried setting target to "" in the processor?

The error in the original message is from the logs generated by the functionbeat lambda.
I have tried target:"" and target:"newfield" and both failed with the same error.

the only way i have gotten this to work is with the below, which adds a lot more processing than necessary, but accomplishes the task

processors:
      - copy_fields:
          fields:
            - from: message
              to: alblog
          fail_on_error: false
          ignore_missing: true
      - decode_json_fields:
          fields: ["alblog"]
          process_array: false
          max_depth: 1
          overwrite_keys: false
          add_error_key: true
      - copy_fields:
          fields:
            - from: alblog.time
              to: event.start
          fail_on_error: false
          ignore_missing: true
      - drop_fields:
          fields: ["message"]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.