Filebeat - Overwrite hostname from decoded json

Ajay_Singh2 · November 24, 2020, 4:25pm

Hi,

I am trying to ingest a json file using filebeat, here are few logs from the file:

{"iso.gov.dd.internet.public.enterprises.7.0.1.3.0":23,"@timestamp":"2020-11-24T09:09:09.875Z","host":"1.2.3.4","@version":"1"}
{"iso.gov.dod.internet.public.enterprises.7.0.1.3.0":23,"@timestamp":"2020-11-24T09:14:09.984Z","host":"1.2.3.4","@version":"1"}

Here is how my filebeat.yml configuration:

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /root/test.log
  json.add_error_key: true
  json.keys_under_root: true
  json.message_key: "iso.gov.dod.internet.public.enterprises.7.0.1.3.0"
processors:
  - decode_json_fields:
    fields: ['message']
    target: json

Now, i am having two issues:

Getting error - Key 'iso.gov.dod.internet.public.enterprises.7.0.1.3.0' not found
i need to overwrite the host.name with host value decoded from the json - (Priority )

shaunak · November 25, 2020, 2:41am

That's probably because there is no such key in your first sample entry. I think there's a typo in that entry: dd instead of dod?

I was able to accomplish this with the following configuration:

filebeat.inputs:
- type: log
  paths:
    - /root/test.log
  json.add_error_key: true

processors:
  - drop_fields:
     fields:
       - host.name
  - copy_fields:
      fields:
        - from: json.host
          to: host.name

system · December 23, 2020, 4:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.