Nested object logstash not parsing correctlly

Elastic Stack Kibana
1

Hello , can u help me solve the issue.
I have nested object "host" => { "name" => "myserver" } like below

"cluster" => "xxx-logs",
 "name" => "xxx2",
 "component" => "xxx",
                **"host" => {**
**        "name" => "myserver"**
**    },**

If i want to parse it with mutate filter and replace like this :

 mutate {
                replace => {"host" => "%{[host][name]}"}
                }

I got correct value "host" => "myserver" with output to console like this :

utput {
                stdout {
                codec => rubydebug
                       }

BUT ....
If I send it to kibana i got this :
host %{[host][name]}

What am i doing wrong?
Index field type is text. in index template

2

Anyone?

3

You need to share some sample of your logs and your pipeline so people may try to replicate.

Also, share the real output you got on console, you didn't share the output.

And share your index template as well.

Keep in mind that the recommendation is to use ECS fields in the mappings, and host is an object in ECS, not a string text.

What is your input? Some inputs will add the host field, and it may override and conflict if you also have a host field in your message, but since you didn't provide any information about your input and other filters it is not possible to know.

4

Hello,
I had wrong name in my filter. Sorry
Instead of
replace => { "host" => "%{[host][hostname]}" }
i used
replace => { "host" => "%{[host][name]}" }

This was nested field.

"host" => {
        "hostname" => "myhostname"

And now it is parsed correctly.
"hostname" => "myhostname"

But in Kibana it is still showing like :
image

While rubydebug is correct.
image

5

My fields in index linux:
image

Index template :

{
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "ilm-linux",
          "rollover_alias": "linux"
        },
        "number_of_shards": "10",
        "routing": {
          "allocation": {
            "include": {
              "_tier_preference": "data_content"
            }
          }
        }
      }
    },
    "mappings": {},
    "aliases": {}
  }
}
6

And this is event i am trying to parse:
2024-10-11T13:26:22+02:00 bts-test daemon.info patroni 1328417 - - 2024-10-11 13:26:22,893 INFO: no action. I am (bts-test), a secondary, and following a leader (bts-test2)

7

After upgrade to 8.15.2 issue dissaperead maybe bug?