Logstash split filter does not work with match_only_text type

Dear Community,

We use heartbeat to collect http response from some services. The response format is a JSON array and the array is returned in the http.request.body.content field and http.request.body.content.text field. The content fields has type wildcard and the content.text field has type match_only_text. The array may be empty, contain one or more elements.

All heartbeat event are sent to Logstash. In Logstash I try to split an event into several events e.g., one event per tuple in the JSON array. The split filter looks like a perfect match for this task. However, the filter returns this warning instead of splitting:

[2022-04-27T09:27:09,630][WARN ][logstash.filters.split   ][beats-port-5044][circuit-breaker_5044_filter] Only String and Array types are splittable. field:http.response.body.content.text is of type = NilClass

I can add a the JSON array in custom field in the beat and drop in Logstash. However, I am wondering if you could suggest a more elegant solution, and why match_only_text fields are not splitable?

Best regards

This has nothing to do with match_only_text, which is a concept that only exists in Elasticsearch. In logstash the syntax for referencing that nested field is not the same as in Elasticsearch. Use [http][response][body][content][text]

Hi Badger;

Thanks, it works now as expected.

BR Flemming

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.