Fields in documents are using a literal '.' instead of hierarchical JSON

kdp494 · January 7, 2020, 7:55pm

I am having an issue where the output from grok and other filters are producing fields with a literal '.' separator as opposed to the expected hierarchical JSON.

For example, I use the following pattern in my grok filter:
%{NUMBER:destination.port:int}

It will match successfully, but the JSON output is the following:
"destination.port": 22

Where I would expect the following:
"destination": {
"port": 22
}

This is one example of many. I have other log sources NOT going through logstash to the same index with the same fields and the output IS how I would expect. Any idea what I may be doing wrong?

Badger · January 7, 2020, 8:02pm

Field names can contain periods, so what you are seeing is exactly what is expected. logstash does not use the same syntax as kibana for nested fields. Try

%{NUMBER:[destination][port]:int}

kdp494 · January 7, 2020, 8:11pm

That did it. Thank you sir!

system · February 4, 2020, 8:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.