Dear Community,
We use heartbeat to collect http response from some services. The response format is a JSON array and the array is returned in the http.request.body.content field and http.request.body.content.text field. The content fields has type wildcard and the content.text field has type match_only_text. The array may be empty, contain one or more elements.
All heartbeat event are sent to Logstash. In Logstash I try to split an event into several events e.g., one event per tuple in the JSON array. The split filter looks like a perfect match for this task. However, the filter returns this warning instead of splitting:
[2022-04-27T09:27:09,630][WARN ][logstash.filters.split ][beats-port-5044][circuit-breaker_5044_filter] Only String and Array types are splittable. field:http.response.body.content.text is of type = NilClass
I can add a the JSON array in custom field in the beat and drop in Logstash. However, I am wondering if you could suggest a more elegant solution, and why match_only_text fields are not splitable?
Best regards
Flemming