JSON Plugin - Ignore Field

QuestBevan · September 30, 2022, 1:57am

Hi All,

Need some advise.

I am currently using filebeat, to send logs to Elasticsearch via Logstash.
Filebeat -> Logstash -> Elasticsearch

Log files are in JSON, and these JSON documents are being expanded as expected. My problem is, I have a JSON field that I don't want to expand, and would prefer to ingest it as "text/string". How can I alter my Logstash filter to not expand that field. The field I don't want to expand is payload.attestation

JSON document looks something like this

{
  "eventId": "9686df",
  "level": "debug",
  "message": "JSON payload",
  "payload": {
    "attestation": {
      "value1": "HASH-aaa-aaa",
      "value2": "bbb",
      "value3": "ccc",
      "value4": "ddd"
    }
  },
  "serial": "1234",
  "timestamp": "2022-09-27T11:02:13.361+10:00"
}

Current filter looks like this:

        mutate {
            add_field => {"json_payload" => ""}
            copy => { "message" => "json_payload" }
        }
        json {
            source => "message"
        }

Badger · September 30, 2022, 3:37am

This answer might help, or this one.

system · October 28, 2022, 3:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.