Nested object logstash not parsing correctlly

miiroslavkardos · September 18, 2024, 10:36pm

Hello , can u help me solve the issue.
I have nested object "host" => { "name" => "myserver" } like below

"cluster" => "xxx-logs",
 "name" => "xxx2",
 "component" => "xxx",
                **"host" => {**
**        "name" => "myserver"**
**    },**

If i want to parse it with mutate filter and replace like this :

 mutate {
                replace => {"host" => "%{[host][name]}"}
                }

I got correct value "host" => "myserver" with output to console like this :

utput {
                stdout {
                codec => rubydebug
                       }

BUT ....
If I send it to kibana i got this :
host %{[host][name]}

What am i doing wrong?
Index field type is text. in index template

miiroslavkardos · October 11, 2024, 10:02pm

Anyone?

leandrojmp · October 12, 2024, 3:33am

You need to share some sample of your logs and your pipeline so people may try to replicate.

Also, share the real output you got on console, you didn't share the output.

And share your index template as well.

Keep in mind that the recommendation is to use ECS fields in the mappings, and host is an object in ECS, not a string text.

What is your input? Some inputs will add the host field, and it may override and conflict if you also have a host field in your message, but since you didn't provide any information about your input and other filters it is not possible to know.

miiroslavkardos · October 14, 2024, 6:45pm

Hello,
I had wrong name in my filter. Sorry
Instead of
replace => { "host" => "%{[host][hostname]}" }
i used
replace => { "host" => "%{[host][name]}" }

This was nested field.

"host" => {
        "hostname" => "myhostname"

And now it is parsed correctly.
"hostname" => "myhostname"

But in Kibana it is still showing like :

While rubydebug is correct.

miiroslavkardos · October 14, 2024, 6:52pm

My fields in index linux:

Index template :

{
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "ilm-linux",
          "rollover_alias": "linux"
        },
        "number_of_shards": "10",
        "routing": {
          "allocation": {
            "include": {
              "_tier_preference": "data_content"
            }
          }
        }
      }
    },
    "mappings": {},
    "aliases": {}
  }
}

miiroslavkardos · October 15, 2024, 6:09pm

And this is event i am trying to parse:
2024-10-11T13:26:22+02:00 bts-test daemon.info patroni 1328417 - - 2024-10-11 13:26:22,893 INFO: no action. I am (bts-test), a secondary, and following a leader (bts-test2)

miiroslavkardos · October 17, 2024, 8:11am

After upgrade to 8.15.2 issue dissaperead maybe bug?