Kibana prepending json array name


(Ryan ODonnell) #1

I have some AWS cloudtrail logs coming into logstash. For whatever reason KIBANA seems to be prepending the JSON array names to the keywords in the GUI, is there anyway to disable this?

Logstash rubydebug showing no alteration of keywords:

"host" => "cloudtrail",
"@timestamp" => 2018-12-03T02:21:10.000Z,
"source" => "AwsApiCall",
"Records" => {
"eventVersion" => "1.05",
"eventType" => "AwsApiCall",
"awsRegion" => "us-east-1",
"eventID" => "1875455e-1910-4a28-8906-15677ab61343",
"recipientAccountId" => "",
"eventTime" => "2018-12-03T02:21:10Z",
"eventName" => "AssumeRole",
"requestParameters" => {
"roleArn" => "",
"roleSessionName" => ""
},
"userIdentity" => {
"invokedBy" => "ec2.amazonaws.com",
"type" => "AWSService"
},
"requestID" => "",
"sharedEventID" => "bf6beb99-248d-407d-b5c2-ef7b5d68675c",
"resources" => [
[0] {
"accountId" => "",
"type" => "AWS::IAM::Role",
"ARN" => ""
}
],
"responseElements" => {
"credentials" => {
"sessionToken" => "",
"expiration" => "Dec 3, 2018 8:50:11 AM",
"accessKeyId" => ""
}
},
"userAgent" => "ec2.amazonaws.com",
"eventSource" => "sts.amazonaws.com",
"sourceIPAddress" => "ec2.amazonaws.com"
},
"program" => "AssumeRole",
"tags" => [
[0] "cloudtrail",
[1] ""
],
"@version" => "1"

Kibana keywords:

It should be eventType, awsRegion etc vs Records.awsRegion, Records.eventType


(system) closed #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.