I also tried with "has_fields: ['exception']" ... no success
Every time I worked with usage of "target" or "target_prefix" it was failing ...
Now I work without that and my 322-line-filebeat-config does (nearly) what I want.
There are some more issues like "multiline pattern only working with type "log" but NOT with type "filestream" and so on. But that in another issue ...
To me, it seems like misconfiguration. You put the results of the JSON parsing to under the field mytarget, but in the dissect processor you try to parse the field mytarget_exception which is I assume is empty.
But it would be nice to see an example event you are trying to parse.
There are some more issues like "multiline pattern only working with type "log" but NOT with type "filestream" and so on. But that in another issue ...
Hi,
"decode_json_fields" extracts the field "exception" which I want to deal with other processors.
This works only WITHOUT setting "target" to something else than empty (''). Please see my 1st code-example with "# running fine" comment.
Unfortunately I must not give a real life example.
If you set the target of decode_json_fields to an empty value, Filebeat puts the fields to the root of the event. I assume one of the parsed fields is called exception. Then in the later dissect processor, you configure it as the source, and it can be parsed as expected.
However, in your second configuration snippet that does not work you put the results of the JSON processor under mytarget. Your expcetion field lands under the name mytarget.exception. So you should configure mytarget.exception as the field of dissect processor. I assume that is the field you would like to dissect.
I tried and analysed for appr. 8h, with filebeat debug logs, looking into Graylog for which fields where extracted, processed and so on.
My "running" filebeat config (without any "target"-setting) has 322 lines, including multiline pattern in other inputs. So I assume to have understood most of the concept.
Let's take a step back. What if you temporarily remove the dissect processor and write to file output to see where the fields from decode_json_fields land?
Scenario 1: target: "mytarget":
If I look into Graylog, I can see the field "mytarget_exception", also all other json-decoded fields. But in filebeat I cannot access, no processor can "see" this field(s) : no "IF hasfield", no "dissect" ,...
Scenario 2: target unset:
All expected json_decoded fields AND processed derivates of them are present in Graylog. So in Filebeat I can process json_decoded fields with "dissect", I can process with "IF hasfield ..." ...
Are there any other processors or parsers besides the ones you shared? I am trying to track down where exactly the field is born and why it is not "visible" to the later processor.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.