Dissect Filter, Creating Subfields

shinobu · May 19, 2022, 10:42am

Hello,

how can i get dissect to create a structure with subfields?

        dissect {
            mapping => {
                "message" => "%{test.subfield}.%{test.subfield2}"
            }
        }

I would expect so get some output like:

test => {
"subfield" => "somevalue",
"subfield2" => "anothervalue"
}

I tried test.subfield, because grok accpets it this way, but it appears to be different in dissect.
The actual output looks like

"test.subfield" => "somevalue",
"test.subfield2" => "anothervalue"

I hope you can help me out.

leandrojmp · May 19, 2022, 11:59am

The way to reference nested fields in logstash is using the [top-level][sub-level] format, both in grok and dissect and in any other filter in logstash.

So to have a field named test with the fields subfield and subfield2 nested under it, you should use [test][subfield] and [test][subfield2].

So, change your dissect to this:

"message" => "%{[test][subfield]}.%{[test][subfield2]}"

system · June 16, 2022, 11:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dissect filter plugin to map nested fields Logstash	3	1195	November 4, 2020
Logstash dissect and grok pattern matching issue Logstash	7	470	May 20, 2021
Checking for existence of nested field Logstash	3	1338	July 6, 2017
Best Way to create nested field Logstash	10	21022	July 6, 2017
Grok + Dissect - how to work properly? Logstash	4	722	May 4, 2020

Dissect Filter, Creating Subfields

Related Topics