Merge field message and msg

raulgs · May 14, 2020, 12:43pm

Hi guys,

I noticed today that for some pods log messages are available in the message field, while for others they in the msg field. Is there some way to merge this field or make them all available over a pointer that links merges the result of both of them?

hunsw · May 14, 2020, 1:08pm

If you have Logstash in your pipeline you can do all kind of alteration to your logs, e.g.

     filter {
        if [msg] {
          mutate {
            rename => { "msg" => "message" }
          }
        }
     }

See
https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html

raulgs · May 14, 2020, 2:34pm

I am using fluentd actually for log collection

hunsw · May 14, 2020, 2:37pm

I'm sure fluentd have similar functionality... OR you can switch to FluentBit, forward logs to a Logstash instance then to Elasticsearch.

system · June 11, 2020, 2:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rename fieldname in incoming logs Elasticsearch	2	476	March 14, 2020
Elasticsearch filter and input on different events Logstash	4	2011	November 21, 2017
Same field name with different types? Logstash	3	1606	July 6, 2017
Logstash Elasticsearch output - one field only Logstash	6	752	November 10, 2022
Catenate two fields as message Logs	4	779	December 17, 2018

Merge field message and msg

Related topics