Moving JSON inner field to root level

mecavity · August 22, 2018, 1:55pm

Hi,

I'm using filebeats to send logs from docker instances to elasticsearch.

The log I am receiving in elasticsearch has a field called message which is a JSON object of the actual log that came out of the container.

How can I change it so that the fields inside message become root level fields (making filtering and reading on kibana easier).

This is my input config so far:

filebeat.inputs:

type: docker
containers:
path: "/var/lib/docker/containers"
stream: "all"
ids:
- "*"
json.keys_under_root: true
json.add_error_key: true

Thank you.

mecavity · August 23, 2018, 4:01pm

Ended up using Logstash.

system · September 20, 2018, 4:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON log, only root level fields being indexed Beats filebeat	10	1608	July 27, 2018
Decode_json_fields.fields: ["message"] decodes JSON logs with "logs" Beats filebeat	1	325	September 30, 2019
Parsing dockers files with logstash Logstash	2	353	April 10, 2018
Tried to parse field [log_json] as object Beats filebeat	1	449	February 14, 2019
Issue with JSON logs and field 'log.level' Beats filebeat	3	416	July 30, 2019

Moving JSON inner field to root level

Related topics