When I have both a.b and c.d in one log entry, and try to mutate-convert them, only first conversion occures, and the second is not, so it causes logstash to throw failed to parse field warning.
Current config is:
filter {
mutate {
convert => {
"[query][from]" => "string"
"[query][to]" => "string"
}
}
}
Can anybody advice on how to convert both fileds at once?
When I use the construction above I get parsing error about query.to field. If In filter I put converts in that order:
convert => {
"[query][to]" => "string"
"[query][from]" => "string"
}
I get error regarding query.from field, which makes me think that somehow only one convert action applies, if both fields are present in log entry
tried the same with not nested fields - same behaviour
All is good, it was elastic index, who refused to reindex properly
Not logstash problem. please close the issue
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.