Expand_keys doesn't work if target option is used in decode_json_fields beat processor

iorfix · May 20, 2022, 10:16am

In decode_json_fields processor, expanded notation works only if target is left to "".
In fact, in source code ( beats/decode_json_fields.go at master · elastic/beats · GitHub ) there is a clear if section:

		if target != "" {
			_, err = event.PutValue(target, output)
		} else {
			switch t := output.(type) {
			case map[string]interface{}:
				jsontransform.WriteJSONKeys(event, t, f.expandKeys, f.overwriteKeys, f.addErrorKey)
			default:
				errs = append(errs, "failed to add target to root")
			}
		}

Is there a reson for this?
I'd like to convert a json under a specific object (e.g. under the old json field), rename all relevant info into toplevel ECS structure, and then delete the object, so that I don't send any unnecessary info.
Thank you,
D.

kvch · May 23, 2022, 2:46pm

It is a bug. Could you please open an issue on GH? Sign in to GitHub · GitHub

iorfix · May 23, 2022, 3:36pm

Issue opened: Expand_keys doesn’t work if target option is used in decode_json_fields beat processor · Issue #31712 · elastic/beats · GitHub
Thank you.

kvch · May 24, 2022, 10:35am

Thank you!

system · June 21, 2022, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ndjson parser doesn't expand keys if target is set Beats filebeat , libbeat	3	300	June 28, 2023
ERROR instance/beat.go:971 Exiting: error initializing processors: unexpected expand_keys option in processors.1.decode_json_fields Beats filebeat	5	861	June 19, 2021
Filebeat: Bug: Processor "decode_json_fields" with usage of "target" Beats filebeat	14	1927	March 16, 2022
JSON field expansion Beats filebeat	3	744	July 30, 2020
Problem with filebeat "failed to add target to root" Beats filebeat	3	417	August 18, 2021

Expand_keys doesn't work if target option is used in decode_json_fields beat processor

Related topics