Observability field composition of Stream Logs message

b790718 · May 12, 2025, 2:39pm

Elasticsearch: v8.11.0
Kibana: v8.11.0
Filebeat: v8.11.0
APM Agent: nodejs v8.10.0

I use winston logger with ecs-winston-format.
I am so confused about what field composition of Stream Message is ?
When I set ecsFomat config > convertReqRes : true, Stream Logs message first "" is always empty.
I can't find the field composition of message in document

weltenwort · May 12, 2025, 3:03pm

Hi @b790718,

I agree this doesn't look perfect. What the UI attempts to do here is to interpolate the event.dataset field. This is part of the message reconstruction heuristics, which go astray sometimes.

If you're on a recent version of the Elastic Stack, you might want to try out Discover in a Kibana space configured for Observability: Explore logs in Discover | Elastic Docs

Nowadays Discover adapts its rendering to suit the use-case better when the data viewed are log entries.

Topic		Replies	Views
Observability Overview - Logs not shown as log source Elastic Observability ecs-elastic-common-schema	23	209	October 17, 2024
Kibana infra/logs displaying "undefined" for ECS-formatted events Logs	6	1137	May 12, 2020
Log UI failed to format message from Logs	5	3566	February 5, 2019
Customizing message field for Ecs logging method of java applications Beats ecs-elastic-common-schema , filebeat	3	771	July 15, 2020
Easily parseable log format (ideally, CEF format) in ELS / Kibana / Fluentd Elasticsearch	1	864	July 14, 2017

Observability field composition of Stream Logs message

Related topics