filebeat is mapping my json fields to a "message" field that I have not created and do not allow dynamic fields. Is this because I'm using decode json feature in filebeat.yml? Is there an attribute related to this behavior. I don't have much in my yml, I have had it map directly to the desired fields but it was pulling 100+ fields it shouldnt.
If you would like Filebeat to put the decoded JSON under a specific key, you need to set the option target under decode_json_fields. See more: https://www.elastic.co/guide/en/beats/filebeat/master/decode-json-fields.html
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.