[filebeat] - Json processor

JH82 · May 2, 2022, 11:34pm

Hello, I try to make a JSON transform with processor in filebeat (with http_endpoint as input).
2 questions :

when I send a simple json message like
{"message":"OK"}
I receive :
{"message": "success"} but I get many extra unwanted data in addition of my Original JSON.
why not have just "{"document":{"message":"OK"}}" into _source ?

but in elastic db i've

{
  "_index": "cri-2022",
  "_type": "_doc",
  "_id": "aWcWh4ABcwp0swy5bbh_",
  "_version": 1,
  "_score": 1,
  "_source": {
    "@timestamp": "2022-05-02T23:23:54.543Z",
    "host": {
      "name": "lenovox1g2"
    },
    "agent": {
      "name": "lenovox1g2"
    },
    "ecs": {},
    "json": {
      "message": "OK"
    },
    "input": {}
  },
  "fields": {
    "json.message": [
      "OK"
    ],
    "agent.name": [
      "lenovox1g2"
    ],
    "@timestamp": [
      "2022-05-02T23:23:54.543Z"
    ],
    "host.name": [
      "lenovox1g2"
    ]
  }
}

Question 2 :

if I have a message like this
{"content":["1"],"default_value":"\"Module 1\"","field":2} and I want to transforme into
{"Module 1":{"content":["1"],"field":2}

is it possible to do this with processor or other anyway with filebeat ?

Thank you !

Regards.

Tetiana_Kravchenko · May 5, 2022, 1:20pm

Hi @JH82

regarding question 2 - it should be possible to achieve with script processor.

system · June 2, 2022, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.