Object to string gets indexed as object in elasticsearch

derEremit · September 22, 2016, 3:43pm

I need to convert a field to string so it does not create multiple fields and subfields in elasticsearch.

Reason is I get logs from a source I can't control and they are in the format

data: {
  23423432_23434343: { ... }
}
data: {
 450546540_3450345: { ... }
}

and thousands of that

so I now have thousands of fields in kibana which basically makes it unusable

so i created in my logstash conf

if [plaindata] {
    mutate {
      convert => { "plaindata" => "string" }
    }
  }

but I still get plaindata.foo.bar.baz fields

is what I tried the correct way to handle this problem?
What I need is plaindata as a searchable field as it can contain valuable debug information

magnusbaeck · September 22, 2016, 5:11pm

Maybe the json_encode filter could be useful?

derEremit · September 25, 2016, 6:34pm

that worked, thanks

Topic		Replies	Views
Convert JSON Object to string Logstash	3	8311	February 23, 2017
How to convert string to JSON? Logstash	10	9431	November 3, 2017
HOW TO logstash convert all fields to String Logstash	3	753	August 26, 2020
Logstash - json log line has field that can be either string or another json object: seems to anger elasticsearch Logstash	2	829	January 24, 2018
Convert a field datatype to object or nested in logstash Logstash	7	5282	July 6, 2017