Hello, I'm looking for help with parsing json data out of a log field. I'm using the elastic agent standalone in Kubernetes and not sure how to configure it for this. I believe the filebeat portion of the elastic agent is indexing the messages. Some of the fields I would like to index as a numeric integer if possible. Right now the events come in as something like this from the stdout of the containers and are pretty much useless in Kibana to build visualizations around:
Thanks for the links. Since I was using Elastic Agent, I was able to do it with this processor:
processors:
- if:
regexp:
message: "^.*APP-METRIC.*$"
then:
# Rename fields entry as it seems to conflict with elastic field names
- replace:
fields:
- field: "message"
pattern: "fields"
replacement: "myappname"
ignore_missing: true
fail_on_error: false
# Strip out anything in the message field left of APP-METRIC as it is not wanted
- replace:
fields:
- field: "message"
pattern: "^.*APP-METRIC"
replacement: ""
ignore_missing: true
fail_on_error: false
# Decode the remaining message field to json
- decode_json_fields:
fields: ["message"]
process_array: true
max_depth: 1
target: "myappstats"
overwrite_keys: false
add_error_key: false
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.