First try:-
filter {
mutate {
gsub => [ "message", "^\w+`string`", "" ]
}
json {
source => "message"
remove_field => "message"
}
}
Second try:-
filter {
mutate {
gsub => [ "message", "^\w+`string`", "" ]
}
json {
source => "message"
}
mutate {
remove_field => "message"
}
}
Tried both, got parse error, with tag _jsonparsefailure
Thanks for your help
I would normally use
json { source => "message" remove_field => [ "message" ] }
That will remove the [message] field if it is successfully parsed, otherwise it will leave it on the event, which gives you a chance to see what is wrong with it. Nothing you do with remove_field will affect whether you get a _jsonparsefailure tag. That is telling you that the [message] field is not valid JSON.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.