I started ingesting audit logs from Google Cloud, and I'm getting "Objects in arrays are not well supported" notifications in Kibana for all arrays found in logs.
What would be the best solution to fix the issue?
Changing data type from an object to nested?
-- Kibana won't support this, not sure if this is even a good solution.
A parent-child relationship?
-- Slower performance.
Denormalize data?
-- Adding more documents to the current index.
And I choose #3 denormalize data, how should I go about doing it for the following document?
@Larry_Gregory I tried to use the Split filter plugin to flatten arrays, but I'm getting an error.
In the logs, I have a new tag: "_split_type_failure"
In the Logstash: "[2019-07-23T19:59:44,006][WARN ][logstash.filters.split ] Only String and Array types are splittable. field:[authorizationInfo] is of type = NilClass"
input {
google_pubsub {
project_id => "testing"
topic => "test_topic"
subscription => "logstash-sub"
include_metadata => true
codec => "json"
}
# optional, but helpful to generate the ES index and test the plumbing
heartbeat {
interval => 10
type => "heartbeat"
}
}
filter {
# don't modify logstash heartbeat events
if [type] != "heartbeat" {
mutate {
add_field => { "messageId" => "%{[@metadata][pubsub_message][messageId]}" }
}
}
}
filter {
if [type] != "heartbeat" {
split {
field => "[authorizationInfo]"
}
}
}
output
{
stdout { codec => rubydebug }
elasticsearch
{
hosts => ["https://URL:9243"]
ssl => true
user => "XXXX"
password => "XXXX"
index => "logstash-gcp-audit-%{+YYYY.MM.dd}"
}
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.