Modify the message outpout

geoffreydjof · March 22, 2020, 7:43pm

Hi,

I have installed Filebeat on my servers to collect json logs. It works great !

I have one question : I would like to know if it's possible to modify the content of a message ?

Let me be more explicit :

In Kiban, there is the source filed, which comes from my filebeat configuration :

filebeat.prospectors:
- paths: "/appl/wasbivh1/*/data/log/json.log"
  input_type: log
  json.keys_under_root: true

So, in Kibana, I have a filed name "source" which prints the path , ie here /appl/wasbivh1/SERVICE/data/log/json.log

What I would like is to be able not to print all the path, but only SERVICE in my kibana.
So the "source" field would print only "SERVICE" (and not all path) in Kibana.

Is there a prospector which could do the job ?

Thanks in advance !

Best regards,

Geoffrey

shaunak · March 23, 2020, 5:15pm

What version of Filebeat are you using?

I ask because recent versions of Filebeat have a dissect processor that might be effective here.

However, the fact that you are using filebeat.prospectors (not filebeat.inputs) tells me that you might be on a version of Filebeat that's too old to have the dissect processor in it. In that case you may be able to setup an Elasticsearch Ingest Node pipeline with a dissect or grok processor in it and configure your Filebeat to use it.

Shaunak

system · April 20, 2020, 5:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.