v7.2
When setting target_prefix to "" (empty string) the output from the dissector does not appear in console. When I set it to anything else, including a single whitespace, it does appear.
Any suggestions ?
Hey @paulkeogh,
What do you mean by not appearing in console? Do you mean in logs? Could you share an example of what you are seeing with a non empty prefix?
Here is my config;
processors:
- dissect:
target_prefix: "access"
field: "message"
tokenizer: '[%{@timestamp}] %{client.ip} %{http.request.method} %{url.original} %{http.response.status_code} %{http.request.body.bytes} %{http.response.body.bytes}'
With this I get;
.......
"access": {
"url": {
"original": "/v1/xxxx/01b0f411-f7b3-49df-bfc3-322642f7cd77/88a8c554-88ef-4ed0-ba4a-23dde97cf161?channel=ALL&filter=PUBLISHED&page=0&sortField=PUBLISH_DATE&sortOption=DESC"
},
"http": {
......
When I set target_prefix to "" , no access element is created in the output document.
Do you mean that no "url" element is created?
With this configuration I think that these fields should be placed in url.original, http.request.method and so on.
Is it possible that some of these fields conflict with some existing field?