I am using Logstash and Elasticsearch as my backup database. Recently, I discovered an error related to Logstash using the JSON codec to decode my input file JSON. If the JSON does not contain a 'host' field, Logstash automatically inserts the 'host' field. However, some data in my JSON already contains a 'host' field, resulting in different data types for the 'host' field across different documents. This causes errors when Elasticsearch tries to create the template. How can I disable Logstash from automatically adding this field?
Welcome to the community!
- You can disable ECS on the input level or pipeline (
pipeline.ecs_compatibility: disabled) . I assume that you are using the elasticsearch plugin.
input {
elasticsearch {
hosts => "localhost"
query => '{ "query": { "match": { "statuscode": 200 } }, "sort": [ "_doc" ] }'
ecs_compatibility => "disabled"
}
}
- Another option is to remove/update the field manually:
if [host][name]=="logstashhostname" {
mutate { remove_field => [ "host"] }
# or update to empty string ""
mutate { update => { "[host][name]" => "" } }
}