How to access nested message in logstash KV filter

Vincent_Chen · April 3, 2019, 2:18am

Hi everyone,

I want to use KV filter to parse a nested message field, see below for my sample json:

  {
    "_index": "myindex",
    "_type": "doc",
    "_id": "myid",
    "_score": 5.339951,
    "_source": {
      "msg": "some msg",
      "message": "a=1, b=2, c=3, d=4"
    }
  }

And I tried using a kv filter like this

kv {
source => "[_source][message]"
value_split => "="
field_split => ",\s"
}

But this doesn't work. I also tried "_source.message", "_source.message.value" and "message" as the source, none of these work.

Any idea?

Many thanks.

Cheers,
Vincent

Badger · April 3, 2019, 1:44pm

If that's the message your that logstash is receiving (which is unclear, since it looks like the output from an elasticsearch query, so it could be what you get after logstash writes to ES), then provided you have

filter { json { source => "message" } }

that kv filter should work.

system · May 1, 2019, 1:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using KV with JSON Logstash	7	2544	July 6, 2017
Logstasg KV Logstash	7	595	February 13, 2018
Logstash kv filter questions Logstash	1	444	June 14, 2017
Nested KV Filter in logstash Logstash	4	1511	June 8, 2018
Logstash KV parsing : k=field, v=value Logstash	5	488	June 6, 2018

How to access nested message in logstash KV filter

Related topics