So I'm sending a log file to logstash via filebeat where the log file events are written out in json.
Logstash is taking them and inserting them into elasticsearch just fine from what I can tell, where various keys are being written out under a nested 'json' field.
But whenever I try to reference one of the nested fields in logstash (e.g. json.transaction.remote_address as "%{[json][transaction][remote_address]}" ), I get an "Invalid FieldReference" error. Am I approaching that nested field incorrectly?
If it really is a nested field (and not a fieldname containing periods) and you are using that in a context that accepts sprintf references then you are using it correctly. Can you provide the actual ERROR line from the logstash output as well as an extract from your configuration where you reference it?
If it really is a nested field (and not a fieldname containing periods) and you are using that in a context that accepts sprintf references then you are using it correctly.
This got me thinking. I was trying to reference the nested field in the geoip filter plugin for the source value. I ended up adding a new field using the nested field value and then used that new field as the source for geoip and that worked.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.