So, i'm trying to do something ... weird.
Filebeat01 - > filebeat02-> logstash.
On filebeat01 i enabled logstash output with filbeat02 as target and on filebeat02 tcp input. The json from the first filebat is encapultated in the "message" field of the filebeat02 and it will enter logstash with the metadata and all fields of filbeat02 and in filebeat02's message the full json of filebeat01.
Would it be possible to overwrite the metadata and all fields from the "outer" json with the fields from the included json?
A processor or something?
Plus: it starts with some weird string that i think should be removed somehow.
Example of what ends in logstash:
"message": 2W2J�{"@timestamp":"2020-08-18T22:35:59.917Z","@metadata":{"beat":"filebeat","type":"_doc","version":"7.8.1"},"log":{"offset":0,"file":{"path":"/opt/logs/logstash-stdout.log"}},"message":"[2020-08-18T18:52:49,112][WARN ][logstash.runner ] SIGTERM received. Shutting down.","input":{"type":"log"},"ecs":{"version":"1.5.0"},"host":{"name":"filebeat01"},"agent":{"name":"filebeat01","type":"filebeat","version":"7.8.1","hostname":"filebeat01","ephemeral_id":"4d4154d6-e989-4bf3-a2c3-cd90b46a9ea4","id":"a85a5b61-bc03-46c6-8544-c4f330ab91dd"}}
So i would want "2W2J�" removed and then the fields in the message to overwrite the fields in the outer (root) json.
Would that even be possible?