Interpolation in string should be happening but isn't

I have the following document that went through logstash (v7.10.2):

and message was constructed with the snippet:

    mutate {
      add_field => { "message" => "%{[http][request][method]} %{[url][domain]}%{[url][original]}" }
    }

but obviously these values didn't get interpolated - what might cause this?

This appears to be due to having fields in my elastic document as dot-separated:

…
    "http.request.method": "GET",
    "discourse.time.redis": 0.018657,
    "url.domain": "test.example.net",
…

Reading up about this it seems that the Kibana grok debugger behaves completely differently than logstash… which is exactly opposite what you want from a debugging tool?

My patterns are using e.g.:

%{DATA:url.original}

syntax which gives the correct (nested values) result in the grok debugger, but a single dot-separated field name with logstash.

The bracket patterns in kibana:

%{DATA:[url][original]}

give e.g.:

…
  "[url][domain]": "vdc00ent1.staged-by-discourse.com",
…

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.