Expand_keys doesn't work if target option is used in decode_json_fields beat processor

iorfix · May 20, 2022, 10:16am

In decode_json_fields processor, expanded notation works only if target is left to "".
In fact, in source code ( beats/decode_json_fields.go at master · elastic/beats · GitHub ) there is a clear if section:

		if target != "" {
			_, err = event.PutValue(target, output)
		} else {
			switch t := output.(type) {
			case map[string]interface{}:
				jsontransform.WriteJSONKeys(event, t, f.expandKeys, f.overwriteKeys, f.addErrorKey)
			default:
				errs = append(errs, "failed to add target to root")
			}
		}

Is there a reson for this?
I'd like to convert a json under a specific object (e.g. under the old json field), rename all relevant info into toplevel ECS structure, and then delete the object, so that I don't send any unnecessary info.
Thank you,
D.

kvch · May 23, 2022, 2:46pm

It is a bug. Could you please open an issue on GH? Sign in to GitHub · GitHub

iorfix · May 23, 2022, 3:36pm

Issue opened: Expand_keys doesn’t work if target option is used in decode_json_fields beat processor · Issue #31712 · elastic/beats · GitHub
Thank you.

kvch · May 24, 2022, 10:35am

Thank you!

system · June 21, 2022, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ndjson parser doesn't expand keys if target is set Beats filebeat , libbeat	3	295	June 28, 2023
ERROR instance/beat.go:971 Exiting: error initializing processors: unexpected expand_keys option in processors.1.decode_json_fields Beats filebeat	5	861	June 19, 2021
Filebeat: Bug: Processor "decode_json_fields" with usage of "target" Beats filebeat	14	1924	March 16, 2022
Target field in ndjson Beats filebeat	4	422	February 24, 2023
Process json with multiple keys of same name via filebeat.yml Beats filebeat	1	234	March 8, 2023

Expand_keys doesn't work if target option is used in decode_json_fields beat processor

Related Topics