The mutate+gsub is changing the value of the [message] field so that it becomes valid JSON. So it has to be done before the json filter.
The mutate+gsub is changing the value of the [message] field so that it becomes valid JSON. So it has to be done before the json filter.
@Badger
Still no luck.
filter {
mutate { gsub => [ "message", "$", "]" ] }
json {
source => "message"
tag_on_failure => [ "_jsonparsefailure" ]
target => "parsedJson"
}
split { field=> "parsedJson" }
}Hi @Badger
any further advise?
What does the message field look like in elasticsearch now?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.