Fields_under_root = true is displayed in kibana

Elastic Stack Beats
1

I have a filebeat yaml like:

filebeat.inputs:
        - type: log
          enabled: true
          paths:
            - /var/log/containers/App/*.log
          multiline.pattern: '^\['
          multiline.negate: true
          multiline.match: after
        fields:
          service: "service_name"
          instance: "instance_id"
        fields_under_root: true
        setup.template.settings:
          index.number_of_shards: 3
        output.elasticsearch:
          hosts: ["http://es_host:9200"]

And my understanding of field_under_root=true, would be for the two custom fields defined (service and instance) to be stored at the top- level, but when I view the logs in kibana I have a field called field_under_root with the value true, which seems strange to me. Also I have a warning

WARN elasticsearch/client.go:520 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbefe80c61a64667f, ext:1510386514247, loc:(*time.Location)(0x20ed1e0)}, Meta:common.MapStr(nil), Fields:common.MapStr{"beat":common.MapStr{"name":"ip-172-31-29-191", "hostname":"ip-172-31-29-191", "version":"6.5.0"}, "offset":63452, "input":common.MapStr{"type":"log"}, "service":"service/post-rate", "instance":"$id", "host":common.MapStr{"name":"ip-172-31-29-191"}, "message":"[2018-12-19 00:06:47.984] [0a26c905c7a2] [POST_RATE_DECIDE_V2-021088fb-2bc1-4101-82fc-0842f6c7fb67-StreamThread-5] INFO i.fama.core.service.kafka.FilterStep@lambda$null$0:17 - Processing POST_RATE_DECIDE_V2 to POST_CALCULATE_FLAGS_V2 for UUIDCompoundKey{inputKey=8d938fe1-0317-11e9-8613-1b95aa49ca15, outputKey=8dff22f1-0317-11e9-8613-1b95aa49ca15}", "source":"/var/log/eb-docker/containers/eb-current-app/service.post-rate.IT-148-3.stdout.log", "prospector":common.MapStr{"type":"log"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc4209ac1a0), Source:"/var/log/eb-docker/containers/eb-current-app/service.post-rate.IT-148-3.stdout.log", Offset:63801, Timestamp:time.Time{wall:0xbefe80789986431b, ext:1200371956279, loc:(*time.Location)(0x20ed1e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x60794, Device:0xca01}}}, Flags:0x1} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [service] tried to parse field [service] as object, but found a concrete value"}

And I am not sure if this is related to the fields_under_root behaviour?

Any input is more than welcome.

Thanks

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.