Yeah, I created my own filebeat module and created a fileset. Then in the ingest directory I modified the processors in dissect way, but in kibana Discover found it not worked. In case avoid I write the wrong code, I try to use 'remove' method in the processors but still not worked.
{ "description": "Pipeline for parsing filecoin logdata logs", "processors": [ { "remove": { "field": "ecs" } } ], "on_failure" : [{ "set" : { "field" : "error.message", "value" : "{{ _ingest.on_failure_message }}" } }] }
And I checked the manifest.yml ingest_pipeline: ingest/pipeline.json. It's a right setting. After executing make update, I enable the module in the modules.d directory.
Finally I checked the kibana Discover but found it not worked (I use the updated datas). The 'ecs' field still exist.
Consequently, how can I set my own custom field with the 'source -> message' ?
Best wishes.