Flattening JSON string level with other fields

Mostafa_Talebi · July 8, 2022, 8:25am

I have set up my kibana and Elastic.
I am getting my logs from Fluentbit.
My main app log, which is JSON, is sent by Fluent with other meta fields like this:

{
    "containerId": "foo",
    "clusterId" : "bar",
    "source" : "stderr",
    "log" : "{ type: error, "msg": "cannot connect to redis" }" // My JSON-FORMATTED LOG GOES HERE 
}

I want to be able to extract fields "type" and "msg" from JSON (which is treated as string in ES) and level those with the rest of fields. This enables me to set filters and indexing properly for them.

How should I approach this?

Things I've tried:
In Data view I tried to add a field log.type (considering dot-notation works) but it doesn't work.
In Index Management, I tried to update field mappings but it doesn't allow me editing the index's fields mapping (I have full privileges).

I am looking to have my list of logs to include "type" and "msg" as distinct columns: searchable and filtertable.

nickpeihl · July 8, 2022, 4:03pm

I'm not familiar with Fluentbit since it isn't an Elastic product. But you might be able to set up an Ingest pipeline and use the JSON processor to convert the JSON string to an object.

system · August 5, 2022, 4:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Stdout parse into json Kibana	5	933	February 14, 2018
Kibana nested JSON search Kibana	2	1939	September 15, 2017
Extract certain fields from JSON Beats filebeat	5	824	July 6, 2023
Ingest pipeline merge subfields to JSON string? Elasticsearch	3	1145	April 9, 2020
Elastic and Kibana, indexing al Json with an field array looks like a plain String Elasticsearch	3	999	July 6, 2017

Flattening JSON string level with other fields

Related topics