v7.2
When setting target_prefix to "" (empty string) the output from the dissector does not appear in console. When I set it to anything else, including a single whitespace, it does appear.
Any suggestions ?
Hey @paulkeogh,
What do you mean by not appearing in console? Do you mean in logs? Could you share an example of what you are seeing with a non empty prefix?
Here is my config;
processors:
- dissect:
target_prefix: "access"
field: "message"
tokenizer: '[%{@timestamp}] %{client.ip} %{http.request.method} %{url.original} %{http.response.status_code} %{http.request.body.bytes} %{http.response.body.bytes}'
With this I get;
.......
"access": {
"url": {
"original": "/v1/xxxx/01b0f411-f7b3-49df-bfc3-322642f7cd77/88a8c554-88ef-4ed0-ba4a-23dde97cf161?channel=ALL&filter=PUBLISHED&page=0&sortField=PUBLISH_DATE&sortOption=DESC"
},
"http": {
......
When I set target_prefix to "" , no access element is created in the output document.
Do you mean that no "url" element is created?
With this configuration I think that these fields should be placed in url.original, http.request.method and so on.
Is it possible that some of these fields conflict with some existing field?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.