How to filter of parsed json?

Albert_Aleksandrov · August 14, 2025, 12:52pm

Hi all!

I have a log like that:

{
  "_index": "index1",
  "_type": "_doc",
  "_id": "sdvsdv",
  "_version": 1,
  "_score": null,
  "_source": {
    "@metadata": {
      "beat": "filebeat",
      "type": "_doc",
      "version": "7.10.0"
    },
    "@timestamp": "2025-08-14T12:40:11.689Z",
    "agent": {
      "ephemeral_id": "sdvsd-5743-dsv-964b-sdvsdv",
      "hostname": "filebeat-filebeat-s2w5d",
      "id": "sdvsdvsdv-dd25-46b1-8f25-c4bb7d274873",
      "name": "filebeat-filebeat-sdvsdv",
      "type": "filebeat",
      "version": "7.10.0"
    },
    "container": {
      "id": "dsvsdvsdvdsvdvd",
      "image": {
        "name": "sha256:sdvdsvsdvsdv"
      },
      "runtime": "containerd"
    },
    "ecs": {
      "version": "1.6.0"
    },
    "host": {
      "name": "filebeat-filebeat-dsvsdv"
    },
    "input": {
      "type": "container"
    },
    "kubernetes": {
      "container": {
        "image": "sha256:dsvsdvsdvsdvsd",
        "name": "controller"
      },
      "namespace": "ingress-nginx",
      "node": {
        "name": "w-sdvsd-dssdvd"
      },
      "pod": {
        "name": "ingress-nginx-controller-sdvsdvsdvsd-zhfph",
        "uid": "dsvdsv-sdv-dsvds-fvdf-sdvsdvsdv"
      },
      "replicaset": {
        "name": "ingress-nginx-controller-sdvsdvs"
      }
    },
    "log": {
      "file": {
        "path": "/var/log/containers/ingress-nginx-controller-sdvs-zhfph_ingress-nginx_controller-gfsdvsdvsdvsdvdsvsdvsdvsdv.log"
      },
      "offset": 2286315
    },
    "message": "{\"time\": \"2025-08-14T12:40:11+00:00\", \"remote_addr\": \"\", \"x_forwarded_for\": \"172.20.114.235, 100.127.184.0\", \"request_id\": \"sdvdsvsdvsdvdsvsd\", \"remote_user\": \"\", \"bytes_sent\": 1298, \"request_time\": 0.120, \"status\": 303, \"vhost\": \"tpartner.x5.ru\", \"request_proto\": \"HTTP/1.1\", \"path\": \"/dfbdfbdfbdfb/media/fdbdfbfd-7bc5-4694-a7b6-dfbfbfdb/dfbdfbdf.jpg\", \"request_query\": \"\", \"request_length\": 4684, \"duration\": 0.120,\"method\": \"GET\", , \"http_user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\", \"mail2\": \"\" }",
    "stream": "stdout"
  },
  "fields": {
    "@timestamp": [
      "2025-08-14T12:40:11.689Z"
    ]
  },
  "sort": [
    1755175211689
  ]
}

There you can see a message key. The value in the key is from docker containers output. As you could notice the value is json. As it is a string one cannot filter its fields. Is it possible to convert it to json (on fly) and the filter?

P.S. I cannot convert in logstash or something like that.

Tortoise · August 14, 2025, 4:46pm

Hello @Albert_Aleksandrov

Can we use ingest pipeline ? As you mentioned we cannot use logstash in your case, correct?
If yes, than we can see the ingest pipeline which will extract the message as you need.

Thanks!!

Topic		Replies	Views
How to process json logs from docker container Logstash docker	2	964	April 18, 2022
Filter JSON message in kibana Kibana	2	4664	October 4, 2022
How to parse docker logs (nested serialized JSON) Logstash	2	2805	June 14, 2017
Not able to view json data in available fields for message json Kibana docker	14	2602	July 16, 2021
Parsing the json object in kibana Kibana	6	8179	January 12, 2017

How to filter of parsed json?

Related topics