Decode_json_fields with message field

Elastic Stack Beats
1

I am running into a problem of trying to process decode_json_fields on the message field out of a cloudwatch event. I have this field populated with a json string generated in a lambda function using JSON.stringify(obj) and have successfully parsed it to json. I have the error, my config below (with private info rewritten) and functionbeat version. I cannot get this to work at all, trying to figure out what I need to do to parse the message field into a json object usable in kibana.

when the functionbeat lambda runs, it is generating the error below (with private info rewritten)

{
    "type": "mapper_parsing_exception",
    "reason": "failed to parse field [message] of type [text] in document with id '_YnswHMBmRlFcyxayreH'. Preview of field's value: '{received_bytes=556, actions_executed=waf,forward, target_status_code_list=204, target_processing_time=0.002, ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256, type=https, sent_bytes=329, client_port=36789, target_port=32837, domain_name=api.greenchef.com, error_reason=-, elb=app/prod-lv-bifrost-ex/1d1234782507be97, client_ip=104.129.204.134, ssl_protocol=TLSv1.2, user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763, request_protocol=HTTP/1.1, request_verb=OPTIONS, target_group_arn=arn:aws:elasticloadbalancing:us-west-2:052248958630:targetgroup/prod-lv-bifrost-ex/345bfe1bb9e9e29e, trace_id=Root=1-5f2b3da3-88eac84eaef757520fb51ca4, matched_rule_priority=0, elb_status_code=204, request_url=https://api.greenchef.com:443/boot/lead-user/register, request_processing_time=0.001, chosen_cert_arn=arn:aws:iam::052248958630:server-certificate/greenchef-wildcard-2017, response_processing_time=0.000, target_status_code=204, target_ip=10.220.5.203, request_creation_time=2020-08-05T23:15:47.677000Z, target:port_list=10.220.5.203:32837, time=2020-08-05T23:15:47.680444Z, redirect_url=-}'",
    "caused_by": {
        "type": "illegal_state_exception",
        "reason": "Can't get text on a START_OBJECT at 1:282"
    }
}

below is an example of my config

########################## Functionbeat Configuration ###########################

cloud.id: "nope"
cloud.auth: "nope"

setup.ilm.enabled: true
setup.ilm.rollover_alias: "cloudwatch-message"
setup.ilm.policy_name: "cloudwatch-message"
setup.template.settings:
  index.number_of_replicas: 0

# Configure which S3 endpoint should we use.
functionbeat.provider.aws.endpoint: "s3.amazonaws.com"
# Configure which S3 bucket we should upload the lambda artifact.
functionbeat.provider.aws.deploy_bucket: "s3bucket"

functionbeat.provider.aws.functions:
  - name: cloudwatch-message
    description: "cloudwatch-message"
    enabled: true
    type: cloudwatch_logs
    triggers:
      - log_group_name: cloudwatch-message
    processors:
      - decode_json_fields:
          fields: ["message"]
          process_array: false
          max_depth: 1
          overwrite_keys: false
          add_error_key: true

functionbeat version 7.8.1 (amd64), libbeat 7.8.1 [94f7632be5d56a7928595da79f4b829ffe123744 built 2020-07-21 14:46:32 +0000 UTC]

2

Could you please share the debug logs of Functionbeat? Also, have you tried setting target to "" in the processor?

3

The error in the original message is from the logs generated by the functionbeat lambda.
I have tried target:"" and target:"newfield" and both failed with the same error.

the only way i have gotten this to work is with the below, which adds a lot more processing than necessary, but accomplishes the task

processors:
      - copy_fields:
          fields:
            - from: message
              to: alblog
          fail_on_error: false
          ignore_missing: true
      - decode_json_fields:
          fields: ["alblog"]
          process_array: false
          max_depth: 1
          overwrite_keys: false
          add_error_key: true
      - copy_fields:
          fields:
            - from: alblog.time
              to: event.start
          fail_on_error: false
          ignore_missing: true
      - drop_fields:
          fields: ["message"]
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.