The mutate+gsub is changing the value of the [message] field so that it becomes valid JSON. So it has to be done before the json filter.
@Badger
Still no luck.
filter {
mutate { gsub => [ "message", "$", "]" ] }
json {
source => "message"
tag_on_failure => [ "_jsonparsefailure" ]
target => "parsedJson"
}
split { field=> "parsedJson" }
}What does the message field look like in elasticsearch now?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.