How to access nested message in logstash KV filter

Vincent_Chen · April 3, 2019, 2:18am

Hi everyone,

I want to use KV filter to parse a nested message field, see below for my sample json:

  {
    "_index": "myindex",
    "_type": "doc",
    "_id": "myid",
    "_score": 5.339951,
    "_source": {
      "msg": "some msg",
      "message": "a=1, b=2, c=3, d=4"
    }
  }

And I tried using a kv filter like this

kv {
source => "[_source][message]"
value_split => "="
field_split => ",\s"
}

But this doesn't work. I also tried "_source.message", "_source.message.value" and "message" as the source, none of these work.

Any idea?

Many thanks.

Cheers,
Vincent

Badger · April 3, 2019, 1:44pm

If that's the message your that logstash is receiving (which is unclear, since it looks like the output from an elasticsearch query, so it could be what you get after logstash writes to ES), then provided you have

filter { json { source => "message" } }

that kv filter should work.

system · May 1, 2019, 1:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.