I've spent quite a while reworking my apache/nginx Logstash filter to be ECS-compliant, mostly using the
http field sets. The newly-formated events are indexing correctly and look fine in Kibana Discover, but in the Infra/Logs interface most of the message field displays "undefined".
11:26:48.752 127.0.0.1 - - [01/Apr/2020:22:26:48 +0000] "get /something" 400 173 "-" "-" "-"
10:40:46.582 [undefined][access] undefined undefined "GET /?undefined HTTP/undefined" 200 undefined
I'm really not sure what's going on here. I assumed the logs interface would just display the message field but it seems to be trying to parse some other fields in the event.
The settings in the Logs interface are pretty standard. Just a customised index name (which it can read fine) and some columns. The only thing of note is that this is in a particular user's space, but it's the only place we currently have http events.
How do I fix this, and continue using ECS fields for my events? At the moment I've had to roll back to my old filters which doesn't bode well for converting the rest of my pipeline to ECS.