Dissect Filter, Creating Subfields

shinobu · May 19, 2022, 10:42am

Hello,

how can i get dissect to create a structure with subfields?

        dissect {
            mapping => {
                "message" => "%{test.subfield}.%{test.subfield2}"
            }
        }

I would expect so get some output like:

test => {
"subfield" => "somevalue",
"subfield2" => "anothervalue"
}

I tried test.subfield, because grok accpets it this way, but it appears to be different in dissect.
The actual output looks like

"test.subfield" => "somevalue",
"test.subfield2" => "anothervalue"

I hope you can help me out.

leandrojmp · May 19, 2022, 11:59am

The way to reference nested fields in logstash is using the [top-level][sub-level] format, both in grok and dissect and in any other filter in logstash.

So to have a field named test with the fields subfield and subfield2 nested under it, you should use [test][subfield] and [test][subfield2].

So, change your dissect to this:

"message" => "%{[test][subfield]}.%{[test][subfield2]}"

system · June 16, 2022, 11:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dissect Filter - Catching a sub field Logstash	4	1342	December 11, 2018
Dissect filter plugin to map nested fields Logstash	3	1268	November 4, 2020
How to refer to subfield in logstash Logstash	3	6747	April 19, 2017
Dissect filter is not dissecting properly Logstash	2	2328	February 1, 2018
Logstash split fields into new fields(field1, field2, field3, field4, field5) Logstash	15	799	March 22, 2018

Dissect Filter, Creating Subfields

Related topics