How to access nested message in logstash KV filter

Vincent_Chen · April 3, 2019, 2:18am

Hi everyone,

I want to use KV filter to parse a nested message field, see below for my sample json:

  {
    "_index": "myindex",
    "_type": "doc",
    "_id": "myid",
    "_score": 5.339951,
    "_source": {
      "msg": "some msg",
      "message": "a=1, b=2, c=3, d=4"
    }
  }

And I tried using a kv filter like this

kv {
source => "[_source][message]"
value_split => "="
field_split => ",\s"
}

But this doesn't work. I also tried "_source.message", "_source.message.value" and "message" as the source, none of these work.

Any idea?

Many thanks.

Cheers,
Vincent

Badger · April 3, 2019, 1:44pm

If that's the message your that logstash is receiving (which is unclear, since it looks like the output from an elasticsearch query, so it could be what you get after logstash writes to ES), then provided you have

filter { json { source => "message" } }

that kv filter should work.

system · May 1, 2019, 1:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How can I parse nested json in message? Logstash	2	442	May 27, 2020
Logstasg KV Logstash	7	558	February 13, 2018
Using KV with JSON Logstash	7	2498	July 6, 2017
Logstash filter for records of nested json messages from eventhub Logstash	3	298	October 20, 2022
Logstash Filter \|\| Json Message to Split Fields Logstash	3	2122	October 14, 2019

How to access nested message in logstash KV filter

Related topics