I have the following message that is displayed in the kibana brought by filebeat from a linux syslog:
However, I need each field of the message to be shown in the kibana as an independent field to be able to perform metrics, for example the user field:
The configuration of my filter in logstash is the following:
SYSLOGLINE names the parsed message field "message". That field name is the source message, so you end up with an array. This should get you started:
filter {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
if [message][1] { kv { source => "[message][1]" } }
}
With overwrite => ["message"] in the grok filter the message field won't become an array.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.