Hi,
I'm using filebeats to send logs from docker instances to elasticsearch.
The log I am receiving in elasticsearch has a field called message which is a JSON object of the actual log that came out of the container.
How can I change it so that the fields inside message become root level fields (making filtering and reading on kibana easier).
This is my input config so far:
filebeat.inputs:
- type: docker
containers:
path: "/var/lib/docker/containers"
stream: "all"
ids:
- "*"
json.keys_under_root: true
json.add_error_key: true
Thank you.