I am running into a problem of trying to process decode_json_fields on the message field out of a cloudwatch event. I have this field populated with a json string generated in a lambda function using JSON.stringify(obj) and have successfully parsed it to json. I have the error, my config below (with private info rewritten) and functionbeat version. I cannot get this to work at all, trying to figure out what I need to do to parse the message field into a json object usable in kibana.
when the functionbeat lambda runs, it is generating the error below (with private info rewritten)
{
"type": "mapper_parsing_exception",
"reason": "failed to parse field [message] of type [text] in document with id '_YnswHMBmRlFcyxayreH'. Preview of field's value: '{received_bytes=556, actions_executed=waf,forward, target_status_code_list=204, target_processing_time=0.002, ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256, type=https, sent_bytes=329, client_port=36789, target_port=32837, domain_name=api.greenchef.com, error_reason=-, elb=app/prod-lv-bifrost-ex/1d1234782507be97, client_ip=104.129.204.134, ssl_protocol=TLSv1.2, user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763, request_protocol=HTTP/1.1, request_verb=OPTIONS, target_group_arn=arn:aws:elasticloadbalancing:us-west-2:052248958630:targetgroup/prod-lv-bifrost-ex/345bfe1bb9e9e29e, trace_id=Root=1-5f2b3da3-88eac84eaef757520fb51ca4, matched_rule_priority=0, elb_status_code=204, request_url=https://api.greenchef.com:443/boot/lead-user/register, request_processing_time=0.001, chosen_cert_arn=arn:aws:iam::052248958630:server-certificate/greenchef-wildcard-2017, response_processing_time=0.000, target_status_code=204, target_ip=10.220.5.203, request_creation_time=2020-08-05T23:15:47.677000Z, target:port_list=10.220.5.203:32837, time=2020-08-05T23:15:47.680444Z, redirect_url=-}'",
"caused_by": {
"type": "illegal_state_exception",
"reason": "Can't get text on a START_OBJECT at 1:282"
}
}
below is an example of my config
########################## Functionbeat Configuration ###########################
cloud.id: "nope"
cloud.auth: "nope"
setup.ilm.enabled: true
setup.ilm.rollover_alias: "cloudwatch-message"
setup.ilm.policy_name: "cloudwatch-message"
setup.template.settings:
index.number_of_replicas: 0
# Configure which S3 endpoint should we use.
functionbeat.provider.aws.endpoint: "s3.amazonaws.com"
# Configure which S3 bucket we should upload the lambda artifact.
functionbeat.provider.aws.deploy_bucket: "s3bucket"
functionbeat.provider.aws.functions:
- name: cloudwatch-message
description: "cloudwatch-message"
enabled: true
type: cloudwatch_logs
triggers:
- log_group_name: cloudwatch-message
processors:
- decode_json_fields:
fields: ["message"]
process_array: false
max_depth: 1
overwrite_keys: false
add_error_key: true
functionbeat version 7.8.1 (amd64), libbeat 7.8.1 [94f7632be5d56a7928595da79f4b829ffe123744 built 2020-07-21 14:46:32 +0000 UTC]