Hi,
given you get the following access-log:
{
"container_id": "b62946591d90f24",
"service": "slash",
"bytes_received": 0,
"input": {},
"type": "filebeat",
"protocol": "HTTP/1.1",
"bytes_sent": 8236,
"host": "docker-48",
"response_time": 34,
"tags": [
"filebeat",
"beats_input_raw_event"
],
"query_string": {},
"log_type": "access",
"status": 200,
"loglevel": "info",
"request_method": "GET",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36",
"uri": "/services/my-service",
"remote_address": "172.17.0.1",
"stream": "stdout"
}
The mapping for the field query_string
is set to text
.
This causes ES to complain, because query_string
is an (empty) object.
How would you filter for this (sort of) invalid field in Logstash?
(or prevent the creation)
Tools: Docker, filebeat v6 + Logstash v6 (with the idea to upgrade to v7 soon)